Switches, Hubs, and Modems
1748140 Members
3777 Online
108758 Solutions
New Discussion юеВ

Re: VLANs, Routing, Gateways + Rules?

 
SOLVED
Go to solution
Andr├й Beck
Honored Contributor

Re: VLANs, Routing, Gateways + Rules?

Re Shaun,

> The ACL documentation for the 3400cl did
> seem pretty concise - 80 pages in all

Yep. 10 pages of them are just there to explain the resource issues and half baked workarounds for the poor folks running into them (which are all of them - I bet you will hit this...)

> and stated that I could apply many more
> than 8 ACE's to an ACL.

I just had a look into the chapter called "Access Control Lists (ACLs) for the Series 3400cl and Series 6400cl Switches" from the latest Advanced Traffic Management Guide. It states that 3400cl and 6400cl are essentially the same in this matter:

* Only Ingress ACLs
* Only Port ACLs
* Severe Resource Issues when using ACLs.

Have a closer look at the part called "Planning an ACL Application..." and the table below "ACL Resource usage and Monitoring". The Caveat here is the "8 ACL Masks" limit that is even a limit of 7 masks as soon as IGMP snooping is active. You can tune an ACL somewhat by reorganizing it so consecutive ACEs produce the same mask (then this ACE is "free" and only draws from the absolute total of 120 rules) but in practice, this is only possible in a small number of cases. You often end up with no more than 7 or 8 ACEs, maybe a lucky 10. Of course you can *define* ACLs with more entries, but you cannot *apply* them anywhere, the switch will greet your enthusiasm with a laconic "Unable to apply access control list" message.

I could also mention that applying an ingress ACL to a port on this platform will cycle this port through Down/Up states, taking the STP topology with it, so you cannot really change ACLs without impact. Given the port ingress nature of the ACLs, you tend to shoot yourself into the foot even with tedious planning, especially when your switch is more in the center of the network. I can only repeat - while port ingress ACLs might have some use on the edge ports of access layer switches, they are completely insufficient for L3 switches in the distribution or (collapsed) core layers. You might compare the ACL docs of the yl/zl class switches to see what's closer to the state of the art here. I haven't hit a wall yet with ACLs on 6200yl for instance, but in the same network, a distribution unit made of two 6400cl is driving me crazy. We can only change ACLs there in a planned downtime, with somebody at the location standing by with a laptop and serial, and the resource limits already killed a downtime window. As a result, a part of a country-wide VPN is dysfunctional for months now. 5400zl replacements are in the pipe, blocking on layer 8 (finances)...

HTH,
Andre.
Shaun Neighbour
Advisor

Re: VLANs, Routing, Gateways + Rules?

Hmmmmm.........

I was planning on creating one ACL with around 30 ACE's and applying to all relevant ports (probably 20 ports in total)

At least it's half term next week - I can do some proper testing...........
Shaun Neighbour
Advisor

Re: VLANs, Routing, Gateways + Rules?

OK

If I'm readin this right - My original plan of giving each workstation VLAN an IP range on 10.*.0.0/255.255.0.0 and having the servers on 10.200.0.0/255.255.0.0 would make me run out of ACL masks rather quickly.

But, as most of my workstation VLANs will have the same ruls applied to them, if I change the workstation VLAN IP ranges to 192.*.0.0/255.255.0.0 I could pretty much do everything with one ACL mask............

so for instance;

permit 192.0.0.0 0.255.255.255 10.200.0.0 0.0.255.255

would allow all my workstaions to talk to my servers, while still preventing my workstation VLANs from talking to each other...... Is that right? If so, my ACL planning got a lot easier, and as I haven't setup the IP ranges yet, it's no extra work there either............
Shaun Neighbour
Advisor

Re: VLANs, Routing, Gateways + Rules?

Well it WAS all going to plan............

I created an extended ACL;

permit ip 10.15.0.0 0.0.255.255 10.11.0.0 0.0.255.255
permit ip 10.15.0.0 0.0.255.255 10.12.0.0 0.0.255.255
permit ip 10.15.0.0 0.0.255.255 10.217.0.0 0.0.255.255
permit ip 10.16.0.0 0.0.255.255 10.11.0.0 0.0.255.255
permit ip 10.16.0.0 0.0.255.255 10.217.0.0 0.0.255.255
permit ip 10.14.0.0 0.0.255.255 10.11.0.0 0.0.255.255
permit ip 10.14.0.0 0.0.255.255 10.12.0.0 0.0.255.255
permit ip 10.14.0.0 0.0.255.255 10.217.0.0 0.0.255.255
permit ip 10.13.0.0 0.0.255.255 10.11.0.0 0.0.255.255
permit ip 10.13.0.0 0.0.255.255 10.127.0.0 0.0.255.255
permit ip 10.217.0.0 0.0.255.255 10.217.0.0 0.0.255.255

It worked initially - I set a workstation on 10.16.0.10 pinging both 10.14.0.10 and 10.217.28.12 - I applied the ACL to the port, and communication to 10.14.0.10 was blocked, whilst 10.217.28.12 carried on

But - 15-20 seconds later, I got a "Limited or no connectivity" notice (WinXP) and everything stopped. Even DHCP has stopped (DHCP server is 10.217.28.12).

I turned the rule off - applied it again, and got the exact same thing.

I tried again - This time a fresh PC - I applied the rule, plugged in the PC, and don't even get dhcp.

I'm assuming I've blocked DHCP somehow..........
Shaun Neighbour
Advisor

Re: VLANs, Routing, Gateways + Rules?

I added the following two lines to my acl;

permit udp host 0.0.0.0 eq bootpc host 10.217.28.12 eq bootps
permit udp any eq bootpc host 255.255.255.255 eq bootps

That seems to have cured my DHCP issue.

Now I just have to figure out why my workstation imaging is broken - I'm PXE booting to my Novell Zen imaging server - There's a brief message about not being able to download a file..........

These things are never simple.........
Shaun Neighbour
Advisor

Re: VLANs, Routing, Gateways + Rules?

Workstation imaging works fine if I assign the workstation to a WORKSTATION VLAN with the BootP settings set rather than the Printer or Phone VLANs I'd been using to test with!!!!!!!!!!