Help with conditional routing and/or ACL's

snadam · Post by **snadam** » 28 Mar 2010 12:45

I have a routing question that has me stumped. I'm fairly new to the Alcatel OS family of devices so I very well may be overlooking something obvious. I'll try to provide enough info without giving so much that it confuses the situation. If I leave something out please don't hesitate to ask. Thanks in advance for any input you're able to provide.

My network consists of four VLAN's -
VLAN01 - 10.1.1.0 / 24
VLAN02 - 10.1.2.0 / 24
VLAN03 - 10.1.3.0 / 24
VLAN11 - 10.1.11.0 / 24

- Each VLAN has an IP interface (x.x.x.1)
- All interfaces are forwarding traffic so at the moment all hosts on all VLANs can reach all other VLANs.

Questions : I want to allow routing between VLAN01 and VLAN11, VLAN02 to reach VLAN11 and VLAN03 to reach VLAN11 but prevent VLAN01, VLAN02, and VLAN03 from reaching each other. How do I accomplish this?

Thank you,
Adam

Post by **silvio** » 31 Mar 2010 04:18

you need to deny the traffic like this:

policy condition V1-V2 source vlan 1 destination vlan 2
policy action DENY disposition deny
policy rule V1-V2 condition V1-V2 action DENY
qos apply

play with this.
regards Silvio

snadam · Post by **snadam** » 14 Apr 2010 10:22

Thanks Silvio, your input really helped. After reading the OS CLI Reference document sections on Policy Conditions, Actions and Rules I think I know what to do. Below is what I plan to add to my switch config, please tell me if it looks correct.

POLICY ACTION DENY DISPOSITION DENY
-
POLICY CONDITION VLAN01-TO-VLAN02 SOURCE VLAN 1
POLICY CONDITION VLAN01-TO-VLAN02 DESTINATION VLAN 2

POLICY CONDITION VLAN01-TO-VLAN03 SOURCE VLAN 1
POLICY CONDITION VLAN01-TO-VLAN03 DESTINATION VLAN 3

POLICY CONDITION VLAN02-TO-VLAN01 SOURCE VLAN 2
POLICY CONDITION VLAN02-TO-VLAN01 DESTINATION VLAN 1

POLICY CONDITION VLAN02-TO-VLAN03 SOURCE VLAN 2
POLICY CONDITION VLAN02-TO-VLAN03 DESTINATION VLAN 3

POLICY CONDITION VLAN03-TO-VLAN01 SOURCE VLAN 3
POLICY CONDITION VLAN03-TO-VLAN01 DESTINATION VLAN 1

POLICY CONDITION VLAN03-TO-VLAN02 SOURCE VLAN 3
POLICY CONDITION VLAN03-TO-VLAN02 DESTINATION VLAN 2
-
POLICY RULE DENY-VLAN01-TO-VLAN02 CONDITION VLAN01-TO-VLAN02 ACTION DENY
POLICY RULE DENY-VLAN01-TO-VLAN03 CONDITION VLAN01-TO-VLAN03 ACTION DENY
POLICY RULE DENY-VLAN02-TO-VLAN01 CONDITION VLAN02-TO-VLAN01 ACTION DENY
POLICY RULE DENY-VLAN02-TO-VLAN03 CONDITION VLAN02-TO-VLAN03 ACTION DENY
POLICY RULE DENY-VLAN03-TO-VLAN01 CONDITION VLAN03-TO-VLAN01 ACTION DENY
POLICY RULE DENY-VLAN03-TO-VLAN02 CONDITION VLAN03-TO-VLAN02 ACTION DENY

Post by **silvio** » 14 Apr 2010 11:29

hi,
some mistakes:
first one mistake in my example: at 6850 it isn't possible to use in condition vlan for destination. But you can use the network for destination.

best way for this - create network groups:
policy network group VLAN01 10.1.1.0 mask 255.255.255.0
policy network group VLAN02 10.1.2.0 mask 255.255.255.0
policy network group VLAN03 10.1.3.0 mask 255.255.255.0
policy network group VLAN11 10.1.11.0 mask 255.255.255.0

The condition must include for your wishes source and destination:
POLICY CONDITION VLAN02-TO-VLAN01 SOURCE VLAN 2 DESTINATION network group VLAN01
POLICY CONDITION VLAN02-TO-VLAN03 SOURCE VLAN 2 DESTINATION network group VLAN03
POLICY CONDITION VLAN03-TO-VLAN01 SOURCE VLAN 3 DESTINATION network group VLAN01
POLICY CONDITION VLAN03-TO-VLAN02 SOURCE VLAN 3 DESTINATION network group VLAN02

The rules are fine
at the end a "qos apply" ist necessary.

regards
Silvio

snadam · Post by **snadam** » 15 Apr 2010 09:51

*** I EDITED THIS POST TO FIX PROBLEMS POINTED OUT BY SILVIO IN A SUBSEQUENT POST. ***
Silvio et al.,
The documentation that ships with the 6850 and the internal CLI command reference would lead me to believe that I can use the DESTINATION VLAN as a condition. However, as you posted, when I try to issue the command the switch rejects it. So how would someone like me, a new users, know ahead of time that the 6850 does not support that command? Is there a CLI reference document that acurately explains the available commands on the 6850?

Below, I updated the commands to reflect your suggestions. I also changed the source condition to use the NETWORK GROUP argument in order to 'standardize' on one method.

-> POLICY ACTION DENY DISPOSITION DENY
-
-> POLICY NETWORK GROUP VLAN01-NG 10.1.1.0 MASK 255.255.255.0
-> POLICY NETWORK GROUP VLAN01-NG 10.37.67.0 MASK 255.255.255.0
-> POLICY NETWORK GROUP VLAN02-NG 10.1.2.0 MASK 255.255.255.0
-> POLICY NETWORK GROUP VLAN03-NG 10.1.3.0 MASK 255.255.255.0
-> POLICY NETWORK GROUP VLAN011-NG 10.1.11.0 MASK 255.255.255.0
-
-> POLICY CONDITION VLAN01-TO-VLAN02 SOURCE NETWORK GROUP VLAN01-NG DESTINATION NETWORK GROUP VLAN02-NG
-> POLICY CONDITION VLAN01-TO-VLAN03 SOURCE NETWORK GROUP VLAN01-NG DESTINATION NETWORK GROUP VLAN03-NG
-> POLICY CONDITION VLAN02-TO-VLAN01 SOURCE NETWORK GROUP VLAN02-NG DESTINATION NETWORK GROUP VLAN01-NG
-> POLICY CONDITION VLAN02-TO-VLAN03 SOURCE NETWORK GROUP VLAN02-NG DESTINATION NETWORK GROUP VLAN03-NG
-> POLICY CONDITION VLAN03-TO-VLAN01 SOURCE NETWORK GROUP VLAN03-NG DESTINATION NETWORK GROUP VLAN01-NG
-> POLICY CONDITION VLAN03-TO-VLAN02 SOURCE NETWORK GROUP VLAN03-NG DESTINATION NETWORK GROUP VLAN02-NG
-
-> POLICY RULE DENY-VLAN01-TO-VLAN02 CONDITION VLAN01-TO-VLAN02 ACTION DENY
-> POLICY RULE DENY-VLAN01-TO-VLAN03 CONDITION VLAN01-TO-VLAN03 ACTION DENY
-> POLICY RULE DENY-VLAN02-TO-VLAN01 CONDITION VLAN02-TO-VLAN01 ACTION DENY
-> POLICY RULE DENY-VLAN02-TO-VLAN03 CONDITION VLAN02-TO-VLAN03 ACTION DENY
-> POLICY RULE DENY-VLAN03-TO-VLAN01 CONDITION VLAN03-TO-VLAN01 ACTION DENY
-> POLICY RULE DENY-VLAN03-TO-VLAN02 CONDITION VLAN03-TO-VLAN02 ACTION DENY

-> QOS APPLY

Post by **silvio** » 15 Apr 2010 10:46

docu you can find docu at the link in benny's signature.
For example CLI-docu:http://enterprise.alcatel-lucent.com/pr ... os_cli.pdf

your condition isn't okey - see my last post: you need source and destination in the same contition.

regards Silvio

matiasniosi · Post by **matiasniosi** » 15 Apr 2010 12:38

I have a similar problem. I have 4 vlans (v1, v2, v3, v4). An I want to isolate v1 from the rest. Is there a simple way to block intervlan traffic for vlan v1 or I have to define a condition to each other vlan?

Something like this:

policy network group VLAN01 10.1.1.0 mask 255.255.255.0
POLICY CONDITION VLAN01-TO-ANY SOURCE VLAN 1 DESTINATION (not network group VLAN01)
POLICY RULE DENY-VLAN01-TO-ANY CONDITION VLAN01-TO-ANY ACTION DENY

Is there a way for using the opposite condition for destination, except of matching each vlan (v2, v3 ,v4), match all except v1 in one step?

snadam · Post by **snadam** » 15 Apr 2010 13:18

Thanks Silvio.

Matiasniosi,
If you simply want to isolate VLAN01 from all others you can disable forwarding all together... Would that work for your application or do you need VLAN01 traffic to get to somewhere other than the other three you listed?

Adam

Post by **silvio** » 16 Apr 2010 01:53

Hi Matiasniosi,
there are some ways for isolating vlan 1 from all the rest:
- Easiest is, that there isn't any ip-interface for vlan 1. Then there isn't any routing between other interfaces possible.
- If you need an ip-interface in vlan 1 then you can disable the routing for this interface (like snadam has written) with command
-> ip interface IF-1 no forward
- Third way is to use policies like you have suggested. I would prefer using precedence:
for example:
policy network group VLAN01 10.1.1.0 mask 255.255.255.0
POLICY CONDITION VLAN01-TO-ANY SOURCE VLAN 1
POLICY CONDITION VLAN01-TO-VLAN01 SOURCE VLAN 1 DESTINATION network group VLAN01
POLICY ACTION DENY disposition deny
POLICY ACTION ALLOW
POLICY RULE ALLOW-VLAN01-TO-VLAN01 CONDITION VLAN01-TO-VLAN01 precedence 20 ACTION ALLOW
POLICY RULE DENY-VLAN01-TO-ANY CONDITION VLAN01-TO-ANY precedenc 10 ACTION DENY
QOS APPLY
Because both conditions match for traffic from vlan 1 you can with higher precedence allow the innervlan traffic.

regards Silvio

matiasniosi · Post by **matiasniosi** » 16 Apr 2010 08:13

silvio wrote:Hi Matiasniosi,
there are some ways for isolating vlan 1 from all the rest:
- Easiest is, that there isn't any ip-interface for vlan 1. Then there isn't any routing between other interfaces possible.
- If you need an ip-interface in vlan 1 then you can disable the routing for this interface (like snadam has written) with command
-> ip interface IF-1 no forward
- Third way is to use policies like you have suggested. I would prefer using precedence:
for example:
policy network group VLAN01 10.1.1.0 mask 255.255.255.0
POLICY CONDITION VLAN01-TO-ANY SOURCE VLAN 1
POLICY CONDITION VLAN01-TO-VLAN01 SOURCE VLAN 1 DESTINATION network group VLAN01
POLICY ACTION DENY disposition deny
POLICY ACTION ALLOW
POLICY RULE ALLOW-VLAN01-TO-VLAN01 CONDITION VLAN01-TO-VLAN01 precedence 20 ACTION ALLOW
POLICY RULE DENY-VLAN01-TO-ANY CONDITION VLAN01-TO-ANY precedenc 10 ACTION DENY
QOS APPLY
Because both conditions match for traffic from vlan 1 you can with higher precedence allow the innervlan traffic.

regards Silvio

Thanks Silvio!