Link to home
Create AccountLog in
Avatar of pchettri

asked on

Brocade switch 6450 and 6610

I have Brocade switch stach 6450 and 6610. My 6610 is connected directly to firewall and 6450 stack is connected to 6610 is trunked to 6450 using 1/1/2 interface and 2/2/2 interface.
I created new vlan 222 and assigned new route and DHCP helper to reach DHCP server for IP assignment based on new scope and new range of IP address for guest wifi. The new access point interface assigned to VLAN 222. I created route of the firewall with gatewway address of new guest wifi range.
The guest wifi currently is working but has access to all network. Since the route and interface was created in switch there is no option access control on firewall.

How would create ACL on Brocade swtich to allow vlan 222 to access only the external internet switch and restrict access to internal servers?
Avatar of Steve
Flag of United Kingdom of Great Britain and Northern Ireland image

L3 switches aren't designed for access control. some do have some facilities but they are generally limited as that's normally the job of routers/firewalls.
You should create the VLAN on the firewall instead of the switches and assign it's own Gateway IP, often referred to as a 'virtual interface'.
This IP would be the default gateway for the VLAN instead of the existing one on the Switch. This allows you to set up rules in the firewall as normal which controls the level of access it is allowed between subnets.
Avatar of pchettri


Brocade support said it is possible and send the instruction -

access-list 101 deny ip [range_AP_Users] [range_internal_vlans]
 access-list 101 permit ip any any

but I will rather try when they are on phone, so I replied for on call support.
As noted thats a very basic level of acl.
It may work if things stay straight forward but it wont if it gets complicated.
Eg if you block the server the clients cant get DNS, DHCP, shares.

I still recommend using the firewall/router to give you full control, but the command youve been given should work on a basic level.
Avatar of pchettri

Link to home
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
+1 for Steve.
In the above quoted setup, if any wifi user is spoofing the source address, they will not match your first deny statement, and match the second permit.
ACLs are nice, but no replacement for a firewall.
If you stick with your current setup, do keep an eye on things.

I agree with the suggestion but the solution is missing, therefore, could not click on accept solution. I was able fix it by logging ticket to Brocade l3 support and trial and error from my end to open AP to DHCP. I posted my solution as information for anyone needing information
applied ACL on the ve interface associated with VLAN and tagging it to the interface that was trucked between the switch
allowed acl to specific IP of AP
defined ACL to deny access to data, phone and iscsi IP range
permitted any
applied to the interface that was connected to AP as incoming

all data network is inaccessible and internet is now accessible on guestwfi as needed