Hi all, longtime lurker, first time poster (in this thread, any way).
Thanks to
@fohdeesha and the immense amount of knowledge found in this thread by numerous contributors, I bought 4x 6610s last year to replace the crappy Cisco SG200/SG220s we have at work. I've been taking my time with the migration as it's my first time working with such powerful devices and I want to make sure I've got everything covered. My goal is to offload inter-VLAN routing from pfSense onto the 6610s (via a transit VLAN).
I want to share a small discovery I made today in hopes of making these switches friendlier to newcomers like me.
One of my biggest challenges was managing ACLs through the CLI. I'm used to centrally managing firewall rules through a web panel, so having a non-visual interface takes some getting used to. Some of my concerns & questions were:
- How can I add/modify/remove a single ACL entry in an access-list?
- How can I reorder ACLs in an access-list?
- How can I write ACLs more efficiently? Is there an equivalent to pfSense's IP/Port aliases?
This is where
Brocade Network Advisor comes in. Now I know
it's EOL, but it's still quite a valuable tool for someone like me as it answers all the questions above. BNA is probably nothing new to the experienced out there, yet it's barely mentioned in this thread apart from
@Jason Antes bringing it up in April 2021 and last week. I think it deserves some recognition even if it's mostly archaic and superseded by Ruckus.
One of the greatest features in BNA is the fact that you can create
Networks,
Network Groups,
Services and
Service Groups. These are basically an alternative to pfSense's aliases, and they're extremely useful when writing ACLs for several domain networks. You can even include Groups in Groups, equivalent to referencing an alias inside another alias in pfSense. Just this feature alone avoids having to repeat yourself, thus avoiding mistakes when writing ACLs for dozens of networks with similar rules. I've read through the documentation provided by Ruckus, and there's no way to replicate this functionality through the CLI (as far as I can tell).
For example, I want to create a single
Service Group for all
Active Directory Domain Controller ports. Here's
a few screenshots to showcase the process. Service ports are protocol-specific, however you will still have to create separate ACLs for TCP and UDP. The final screenshot will show you how every individual entry gets created
automagically with only 1-2 entries created in BNA.
For anyone interested, the version I have found online is
14.2.12 (IP only, no SAN support) and it doesn't require a paid licence. I've deployed this particular version without issue.
I hope this helps someone out there!