with the help of a stranger on the internet, anything is possibleHow do I do "this" ? ...... Brocade 6450 ........ I would like to set up Brocade 6450's Port 20 to be a port that only has LAN access but no WAN access. So that way, whatever I plug in there will be on the LAN, but cannot have any internet access.
Is this possible?
enable conf t ##create a new ip ACL called nowan ip access-list extended nowan #start adding rules, in this order. Order of these commands matters! #this assumes your local subnet is 192.168.1.0/24 & the drac IP is 192.168.1.199 #replace the IP in each command with the IP of your drac #only allow traffic FROM drac IP if it's to local subnet permit ip host 192.168.1.199 192.168.1.0/24 deny ip host 192.168.1.199 any ##only allow traffic TO drac IP if it's from local subnet permit ip 192.168.1.0/24 host 192.168.1.199 deny ip any host 192.168.1.199 #finally, let everything else through as normal and exit ACL config permit ip any any exit #apply the rule list to the VE 1 interface, in the inbound direction (from the pov of the VE int) int ve 1 ip access-group nowan in exit write mem
In an ACL list, packets come into the switch, and it attempts to match the packet to rules in the list one by one, starting at the top. The first rule it matches, it does what that rules says (allow or deny)
In the ACL rule entry, the first ip/host is the packet source, and the second is the packet destination.
So let's say your DRAC tries to ping a local machine of 192.168.1.5. The switch will start trying to match it in our list of rules, starting at the top:
(action) (source) (destination) permit ip host 192.168.1.199 192.168.1.0/24 deny ip host 192.168.1.199 any permit ip 192.168.1.0/24 host 192.168.1.199 deny ip any host 192.168.1.199 permit ip any any
the first rule matches any packet with a source of 192.168.1.199 (the drac IP) and a destination of any IP in the subnet (like the 192.168.1.5 you're pinging), so the packet gets matched to this first rule. The rule is a "permit" so the switch lets the traffic through
Now let's say the DRAC tries to ping an internet IP of 188.8.131.52 - it won't match the first rule, because the destination of the packet is outside the specified subnet. It will however get matched to the second rule, because the packet SOURCE is still the DRAC IP, and now the packet destination of 184.108.40.206 matches the "destination any" of the second rule. This rule is a deny, so the packet gets dropped.
The next 2 rules are essentially the same, but blocking traffic in the other direction - external IP's trying to get to the DRAC
Finally, for regular traffic, it won't match any of the first 4 rules because it does not have a destination or source of the DRAC IP, so it matches the last rule, which is a permit
The "ip access-group nowan in" applies that list to the VE 1 interface on the IN direction - you can also apply ACL's to interfaces on outbound, but depending on your ACL rule types, they might need to be flipped around, since the VE will now be matching traffic from it's outbound point of view. It's typically best practice to do what you can to keep ACL's on inbound only - for a few reasons, a big one being the packets get dropped before they make the ASIC work to do forwarding & routing lookups, etc. This doesn't matter at all in typical applications, but if you start to push the linerate of an ASIC it can start to save a little capacity. As long as all your traffic is going through the VE (or whatever interface) in one way or another, you can usually accomplish whatever you need on inbound only