[f-nsp] Inbound only ACL's
Loopback EZ
loopback at ezxyz.com
Wed May 5 18:47:09 EDT 2010
As you know, many of the newer Brocade products only offer inbound
ACL's. When applying some recently I ran into results that I did not
expect and was hoping for some help. I am applying these to the VE
entity that is associated with the VLAN and my goal is to isolate that
VLAN except for a few hosts and services. My understanding is that when
considering ACL's, you should place yourself within the router when
evaluating the inbound vs outbound traffic flow. In this case I am the
VE 50 inside of the router so I would assume that my "incoming" should
be the packets that do not have my subnet source address. Which of the
two ACL lists is correct for this application? Is there a better way to
do this?
I am attempting to allow two host addresses to access 50 from subnets 8
and 6 and all of 18 subnet to access subnet 50. The goal is to also
restrict the any hosts from 50 from initiating a connection to anything
other than the two hosts and the single subnet.
List applied at VE
interface ve 50
ip address 10.4.50.1/24
ip access-group SubNet-50 in
List Trial ONE
ip access-list extended SubNet-50
permit ip 10.4.50.0/24 host 10.4.8.5
permit ip 10.4.50.0/24 host 10.4.6.9
permit ip 10.4.50.0/24 10.4.18.0/24
List Trial Two
ip access-list extended SubNet-50
permit ip host 10.4.8.5 10.4.50.0/24
permit ip host 10.4.6.9 10.4.50.0/24
permit ip 10.4.18.0/24 10.4.50.0/24
More information about the foundry-nsp
mailing list