Hello all,
I have an LB6M thats working great. However I have a new requirement, I need to block traffic within VLAN -
for example if my VLAN 100 has IP range = 10.10.10.0/24, none of the IP within that should be able to communicate with each other (looking at multi-tenant environment).
Is there a way to implement this? I applied the rules on firewall but seems that the traffic never hits the firewall since it could be on the same Virtual environment (different VMs).
I am by no means experienced in this sort of advanced config, or indeed advanced switch config in general. But your question interested me so I went through the Brocade documentation.
I believe what you want should be achievable using rule-based ACLs. This is definitely supported on a Brocade-flashed LB6M, and all of the following info is taken from Brocade documentation and tested on my own Brocade-flashed LB6M.
I can't say for absolute certain that the same is available on the default FastPath LB6M firmware, however I checked my Quanta LB4M running FastPath routing FW (version 5.13.12.14) and found the same ACL commands were supported there (
access-list and
ip access-group), albeit with slightly different syntax.
Reading the Brocade documentation file
TurboIron24X_08001_ConfigGuide.pdf, starting page 897:
- Types of IP ACLs
You can configure the following types of IP ACLs:
- Standard - Permits or denies packets based on source IP address. Valid standard ACL IDs are 1 - 99 or a character string.
- Extended - Permits or denies packets based on source and destination IP address and also based on IP protocol information. Valid extended ACL IDs are a number from 100 - 199 or a character string
The latter, Extended ACLs, supporting denying packets based on both source and destination IP, sounds like what you want? Specifically you'd block packets from 10.10.10.0/24 to 10.10.10.0/24 - though presumably also with a rule specifically allowing access to any router/gateway on that subnet.
The full Brocade docs are provided on the web page that details the Brocade flash, which is
documented here in this thread. The best doc to read is the TurboIron ConfigGuide I just mentioned, as the other files are general docs for all FastIron switches, rather than specifically listing everything supported (or not) on the TurboIron - and therefore also supported on a Brocade-flashed LB6M.
I tested this myself on my Brocade-flashed LB6M, and it seems to work:
Code:
vlan 100 name vlan100 by port
untagged ethe 2 ethe 24
spanning-tree
!
access-list 100 bridged-routed
access-list 100 permit ip 192.168.200.0 0.0.0.255 host 192.168.200.10
access-list 100 deny ip 192.168.200.0 0.0.0.255 192.168.200.0 0.0.0.255
access-list 100 permit ip any any
!
interface ethernet 24
port-name 10Gdesktop2
ip access-group 100 in
This achieved the following result:
- Port 24, configured with 192.168.200.20, could ping 192.168.200.10 (which is connected to port 2)
- But it could not access any other IP on 192.168.200.0/24
- It could access any other subnets it was configured with, eg port 24 configured with 192.168.210.20 could ping 192.168.210.12 on port 2.
The command
access-list 100 bridged-routed is required to enable ACL use in a L2 config - you may not need this if you have set the switch up for L3.
I was only able to apply the
ip access-group 100 to port 24 once port 24 was in a VLAN. I wasn't previously using VLANs on this switch so I created one to test it out. That might be because I'm missing some other config that would enable per-port access-group without a VLAN. Although in your case you want it on a VLAN anyway. (Note that this did
not apply on the LB4M, where
ip access-group was available on any port, regardless of it already being in a VLAN.)
One final point: according to the Brocade docs, on our switch ACLs can only be applied "inbound" on a port, not outbound. Inbound means "from the NIC connected to the given port", ie you can ACL restrict traffic that comes from a NIC to a specified port, but not traffic from elsewhere that will exit out of that port (and end up at the NIC.) When I checked my LB4M, I found the same limitation there - it will only apply an access-group for "in".
I don't believe that affects what you want to do, given you want to block all traffic between 10.10.10.0/24, so it doesn't matter whether you block it at source or destination. Just bear in mind you need to write the ACL such that it blocks traffic from each NIC (
in to its switch port), not traffic destined for a given NIC (which will exit
out from its switch port.)
So from what I've read and can understand, I believe rule-based ACLs can achieve what you want? If you're running Brocade FW - as is highly recommend - then the above should work for you directly. If you're still on FastPath LB6M FW, I expect the same basic commands will exist (
access-list and
ip access-group) but might use slightly different syntax. FastPath might also have minor differences in implementation compared to Brocade, h0wever it seems my LB4M supports the same basic concepts as the Brocade-flashed LB6M, so I'd be quite surprised if a FastPath LB6M was much different.
That said, if you are on the FastPath FW, maybe this would make a good opportunity to flash to Brocade FW

It seems to be superior in most every way, and is also far better documented - a really big benefi in my view.