pchettri
asked on
Brocade switch 6450 and 6610
I have Brocade switch stach 6450 and 6610. My 6610 is connected directly to firewall and 6450 stack is connected to 6610 is trunked to 6450 using 1/1/2 interface and 2/2/2 interface.
I created new vlan 222 and assigned new route and DHCP helper to reach DHCP server for IP assignment based on new scope and new range of IP address for guest wifi. The new access point interface assigned to VLAN 222. I created route of the firewall with gatewway address of new guest wifi range.
The guest wifi currently is working but has access to all network. Since the route and interface was created in switch there is no option access control on firewall.
How would create ACL on Brocade swtich to allow vlan 222 to access only the external internet switch and restrict access to internal servers?
I created new vlan 222 and assigned new route and DHCP helper to reach DHCP server for IP assignment based on new scope and new range of IP address for guest wifi. The new access point interface assigned to VLAN 222. I created route of the firewall with gatewway address of new guest wifi range.
The guest wifi currently is working but has access to all network. Since the route and interface was created in switch there is no option access control on firewall.
How would create ACL on Brocade swtich to allow vlan 222 to access only the external internet switch and restrict access to internal servers?
ASKER
Brocade support said it is possible and send the instruction -
access-list 101 deny ip [range_AP_Users] [range_internal_vlans]
access-list 101 permit ip any any
but I will rather try when they are on phone, so I replied for on call support.
access-list 101 deny ip [range_AP_Users] [range_internal_vlans]
access-list 101 permit ip any any
but I will rather try when they are on phone, so I replied for on call support.
As noted thats a very basic level of acl.
It may work if things stay straight forward but it wont if it gets complicated.
Eg if you block the server the clients cant get DNS, DHCP, shares.
I still recommend using the firewall/router to give you full control, but the command youve been given should work on a basic level.
It may work if things stay straight forward but it wont if it gets complicated.
Eg if you block the server the clients cant get DNS, DHCP, shares.
I still recommend using the firewall/router to give you full control, but the command youve been given should work on a basic level.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
+1 for Steve.
In the above quoted setup, if any wifi user is spoofing the source address, they will not match your first deny statement, and match the second permit.
ACLs are nice, but no replacement for a firewall.
If you stick with your current setup, do keep an eye on things.
Tamas
BCNE
In the above quoted setup, if any wifi user is spoofing the source address, they will not match your first deny statement, and match the second permit.
ACLs are nice, but no replacement for a firewall.
If you stick with your current setup, do keep an eye on things.
Tamas
BCNE
ASKER
I agree with the suggestion but the solution is missing, therefore, could not click on accept solution. I was able fix it by logging ticket to Brocade l3 support and trial and error from my end to open AP to DHCP. I posted my solution as information for anyone needing information
ASKER
applied ACL on the ve interface associated with VLAN and tagging it to the interface that was trucked between the switch
allowed acl to specific IP of AP
defined ACL to deny access to data, phone and iscsi IP range
permitted any
applied to the interface that was connected to AP as incoming
all data network is inaccessible and internet is now accessible on guestwfi as needed
allowed acl to specific IP of AP
defined ACL to deny access to data, phone and iscsi IP range
permitted any
applied to the interface that was connected to AP as incoming
all data network is inaccessible and internet is now accessible on guestwfi as needed
You should create the VLAN on the firewall instead of the switches and assign it's own Gateway IP, often referred to as a 'virtual interface'.
This IP would be the default gateway for the VLAN instead of the existing one on the Switch. This allows you to set up rules in the firewall as normal which controls the level of access it is allowed between subnets.