Skip to main content
Start a Conversation

Solved!

Go to Solution

msmarziali

1 Rookie

 • 

2 Posts

190

February 11th, 2024 08:17

DELL OS10 Vlans ACL or Portchannel ACL

Hi All.
I have a dell switch S4148T. In the configuration are defined multiple vlans.
The switch has trunk port for all vlans to connect vmware esxi node.
Routing mode is enabled.

Example vlan and routing

SW# show ip route
Codes: C - connected
       S - static
       B - BGP, IN - internal BGP, EX - external BGP, EV - EVPN BGP
       O - OSPF, IA - OSPF inter area, N1 - OSPF NSSA external type 1,
       N2 - OSPF NSSA external type 2, E1 - OSPF external type 1,
       E2 - OSPF external type 2, * - candidate default,
       + - summary route, > - non-active route
Gateway of last resort is via 10.1.0.253 to network 0.0.0.0
  Destination                 Gateway                                        Dist/Metric       Last Change
----------------------------------------------------------------------------------------------------------
  *S    0.0.0.0/0           via 10.1.0.253           vlan1                   1/0               24 weeks 5 days 05:12:16
  C     10.1.0.0/16         via 10.1.0.245           vlan1                   0/0               24 weeks 5 days 05:11:45
  C     10.100.20.0/23      via 10.100.21.250        vlan20                  0/0               24 weeks 5 days 05:11:43
  C     10.100.110.0/24     via 10.100.110.214       vlan110                  0/0               24 weeks 5 days 05:11:43
  C     10.100.30.0/24      via 10.100.30.214        vlan30                  0/0               24 weeks 5 days 05:11:43
  C     10.100.50.0/24      via 10.100.50.244        vlan50                  0/0               24 weeks 5 days 05:11:43


The physical link to the esxi node is made with a portchannel (two interfaces eth1, eth2) in trunk on all vlans. The tagged is applied by vmware vSwitch.

In this situation it's possible to apply ACLs to limit some address ports to each vlan ? Multipel ACLs for different vlans ?

It' better to make a single acl to apply to the single portchannel or ethernet ?
Example: 
allow  tcp/53, upd/53  to host 10.100.20.233, 10.100.20.234 from all vlan
deny tcp/3389 to any host from all vlan except vlan 110.
...

I undestand that applying ACLs to a VLAN, that is effectively the same thing as applying the ACL to all ports that belong to that VLAN. 

Thanks for support.

Max

DELL-Erman O

Moderator

 • 

2.5K Posts

February 12th, 2024 13:41

Hello, I think yes it's possible to apply ACLs to limit some address ports to each VLAN. You can also have multiple ACLs for different VLANs. An example how you might configure ACLs 

# Enter global configuration mode
configure terminal

# Create an ACL named PORT-CHANNEL1-ACL
ip access-list PORT-CHANNEL1-ACL

# Allow TCP and UDP traffic on port 53 to hosts 10.100.20.233 and 10.100.20.234 from all VLANs
10 permit tcp any host 10.100.20.233 eq 53
20 permit udp any host 10.100.20.233 eq 53
30 permit tcp any host 10.100.20.234 eq 53
40 permit udp any host 10.100.20.234 eq 53

# Deny TCP traffic on port 3389 to any host from all VLANs except VLAN 110
50 deny tcp any any eq 3389
60 permit ip any any

# Exit the ACL configuration mode
exit

# Assign the ACL to the port-channel 1 interface in the inbound direction
interface port-channel 1
ip access-group PORT-CHANNEL1-ACL in

# Assign the ACL to the VLAN 1 interface in the outbound direction
interface vlan 1
ip access-group PORT-CHANNEL1-ACL out

Hope that helps!

View More

View All

No Events found!

Top