Avatar of pchettri
pchettri
 asked on

Brocade switch 6450 and 6610

I have Brocade switch stach 6450 and 6610. My 6610 is connected directly to firewall and 6450 stack is connected to 6610 is trunked to 6450 using 1/1/2 interface and 2/2/2 interface.
I created new vlan 222 and assigned new route and DHCP helper to reach DHCP server for IP assignment based on new scope and new range of IP address for guest wifi. The new access point interface assigned to VLAN 222. I created route of the firewall with gatewway address of new guest wifi range.
The guest wifi currently is working but has access to all network. Since the route and interface was created in switch there is no option access control on firewall.

How would create ACL on Brocade swtich to allow vlan 222 to access only the external internet switch and restrict access to internal servers?
Switches / HubsRoutersNetwork Security

Avatar of undefined
Last Comment
pchettri

8/22/2022 - Mon
Steve

L3 switches aren't designed for access control. some do have some facilities but they are generally limited as that's normally the job of routers/firewalls.
You should create the VLAN on the firewall instead of the switches and assign it's own Gateway IP, often referred to as a 'virtual interface'.
This IP would be the default gateway for the VLAN instead of the existing one on the Switch. This allows you to set up rules in the firewall as normal which controls the level of access it is allowed between subnets.
pchettri

ASKER
Brocade support said it is possible and send the instruction -

access-list 101 deny ip [range_AP_Users] [range_internal_vlans]
 access-list 101 permit ip any any

but I will rather try when they are on phone, so I replied for on call support.
Steve

As noted thats a very basic level of acl.
It may work if things stay straight forward but it wont if it gets complicated.
Eg if you block the server the clients cant get DNS, DHCP, shares.

I still recommend using the firewall/router to give you full control, but the command youve been given should work on a basic level.
Your help has saved me hundreds of hours of internet surfing.
fblack61
ASKER CERTIFIED SOLUTION
pchettri

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
TimotiSt

+1 for Steve.
In the above quoted setup, if any wifi user is spoofing the source address, they will not match your first deny statement, and match the second permit.
ACLs are nice, but no replacement for a firewall.
If you stick with your current setup, do keep an eye on things.

Tamas
BCNE
pchettri

ASKER
I agree with the suggestion but the solution is missing, therefore, could not click on accept solution. I was able fix it by logging ticket to Brocade l3 support and trial and error from my end to open AP to DHCP. I posted my solution as information for anyone needing information
pchettri

ASKER
applied ACL on the ve interface associated with VLAN and tagging it to the interface that was trucked between the switch
allowed acl to specific IP of AP
defined ACL to deny access to data, phone and iscsi IP range
permitted any
applied to the interface that was connected to AP as incoming

all data network is inaccessible and internet is now accessible on guestwfi as needed
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.