Brocade ICX Series (cheap & powerful 10gbE/40gbE switching)

[sic0048]

I guess the question would be why is permit ip any any necessary at the end ?
Which packet it is allowing which is not handled by the first 3 lines ?

This is more of a "how do rules work" question than a technical problem. As such, I think you need to do more research about what you are trying to accomplish.

This leads me to my next question - why you are even trying to set the switch up as a layer 3 device? I would recommend that you stop attempting this and instead set up your firewall/router in a "router on a stick" scheme. This way you will let your firewall/router manage the VLANs and the firewall rules, DHCP services, etc, etc. Let the switch act as a "layer 2" device (ie don't attempt to put VLAN management, ACL rules, DHCP, etc on the switch itself). Using a "router on a stick" design is generally easier to grasp and execute for the non-IT professional. For a typical home network there is going to be little to no speed differences between setting the switch up as a layer 2 device (using the router on a stick design) and as a true layer 3 device - especially if you give a little though to what devices you put into each VLAN and try to minimize cross VLAN traffic.

 

[Serveur]

I was trying to use the good practice:

Permit what you explicitly want to allow
Deny everything else.

So the goal was to avoid having this permit ip any any

As for why, well one reason is to learn and the others is to have more control of the network.
I have a number of devices that I would like to properly isolate:

• camera that should not go on internet and should only be queried by my server
• door monitor that should only be connected to the corresponding doorbell camera
• work from home laptops which should only have access to internet and not not any other devices
• IoT sensors which may communicate with one another and with internet (depending on the situation)

I don't think that I will manage to achieve a fine control without ACL rules.
And as I said the point was to learn.

 

[kpfleming]

I have a number of devices that I would like to properly isolate:

• camera that should not go on internet and should only be queried by my server
• door monitor that should only be connected to the corresponding doorbell camera
• work from home laptops which should only have access to internet and not not any other devices
• IoT sensors which may communicate with one another and with internet (depending on the situation

All of this can be done on the router that handles your connectivity between VLANs (subnets), except for intra-VLAN traffic between devices on the same VLAN. Controlling that traffic does require the use of ACLs on the ICX device, but they can be layer 2 (MAC) ACLs. There's a lot to learn here and it would be useful if you reviewed the various sections of this monster thread to see examples of various types of ACLs.

 

[sic0048]

I was trying to use the good practice:

So the goal was to avoid having this permit ip any any

I get that, but the fact that your system only works when you added the "allow all" rule obviously means that something is "wrong" with your rules. Perhaps they are set as incoming rules when they should be outgoing rules or vice versa or perhaps you need a mixture of both. There is no right or wrong answer to give you because everyone is trying to accomplish different things with their rules. Unfortunately this means you simply can't copy a set of rules that someone else uses in their setup.

Long story short however, you are obviously not permitting what you think you are permitting with the rules and it is only the "allow all" rule that is actually making things work. This is why you need to go back a read up more about the rules - especially the difference between incoming and outgoing rules. I suspect this is where the confusion lies (it's a hard topic to grasp).

 

[Serveur]

I thought that I understood it after someone explained that it is counter-intuitive: the "in" rules are applied to requests coming from the vlan to the ve.
As the vlan devices have 192.168.10.x IP addresses, I thought I covered all cases and I didn't need permit ip any any.
But perhaps I misunderstood this "counter-intuitive" explanation ?

 

[Serveur]

Ok I activated the logs (pretty awesome feature by the way) and immediately understood the issue.

Here is the standard ACL for those who want a VLAN whose devices are allowed to go on internet, but cannot access other VLAN (but can be reached from other VLAN).

ip access-list extended "vlan10 internet only IN"
permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps
permit udp 192.168.10.0 0.0.0.255 host 192.168.178.1 eq dns
permit tcp 192.168.10.0 0.0.0.255 host 192.168.178.1 eq dns
permit icmp 192.168.10.0 0.0.0.255 192.168.0.0 0.0.255.255 echo-reply
permit icmp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255
deny ip any 192.168.0.0 0.0.255.255
deny icmp any 192.168.0.0 0.0.255.255
permit ip any any
permit icmp any any
permit igmp any any

I think this is pretty standard except that I have authorized with permit icmp 192.168.10.0 0.0.0.255 192.168.10.0 0.0.0.255 the devices in the VLAN to ping other devices in the same VLAN (should be harmless and could be useful for debugging, I'll see).
Also I am not sure about the last line (igmp), not sure if I really need it or not.

Based on this example, I am confident that I can configure the other VLANs without any issues.

 

[sic0048]

I have two 7250 - one that works fine and the other has multiple POE power failures and the MS LED on the front of the switch is orange instead of green. I've posted the errors below. I also happen to have several 6610s and a 6450 that are not beig used right now. Does anyone know if it is possible to swap POE components from one of the older 6xxxx series switches and put them into the 7250? I figured I would ask before I start cracking cases open because I figure it is a long shot that this is possible.

PoE Severe Error: Hardware Fault with ports 2/1/1 to 2/1/8. Remove PDs and then configure "no inline power" on these ports.
PoE Severe Error: Hardware Fault with ports 2/1/9 to 2/1/16. Remove PDs and then configure "no inline power" on these ports.
PoE Severe Error: Hardware Fault with ports 2/1/25 to 2/1/32. Remove PDs and the n configure "no inline power" on these ports.
PoE Severe Error: Hardware Fault with ports 2/1/33 to 2/1/40. Remove PDs and the n configure "no inline power" on these ports.