We're setting up a network with several ICX switches. We've got several VLANs configured, each one associated with a virtual interface. Below is the configuration for VLAN and VE 10 and 20:
vlan 10 name A by porttagged ethe 1/2/3 ethe 1/2/5 ethe 2/1/32 ethe 2/2/3 ethe 2/2/5untagged ethe 1/1/48router-interface ve 10!vlan 20 name B by porttagged ethe 1/2/3 ethe 1/2/5 ethe 2/1/32 ethe 2/2/3 ethe 2/2/5untagged ethe 1/1/4 to 1/1/6 ethe 2/1/4 to 2/1/6 ethe 2/1/9 to 2/1/10 ethe 2/1/12 ethe 2/1/17 to 2/1/18 ethe 2/1/21 ethe 2/1/23router-interface ve 20interface ve 10ip address 172.16.40.1 255.255.248.0ip helper-address 1 172.16.17.254!interface ve 20ip address 172.16.16.1 255.255.240.0Currently, all of the VLANs can talk to eachother, but we want to be able to restrict access to network resources on a per-VLAN basis.
I'm trying to set up a layer 3 ACL so that VLAN 10 can *only* be accessed from VLAN 20. So I created the following access lists:
ip access-list extended "A ACL IN"permit ip 172.16.16.0 0.0.15.255 anydeny ip any any!ip access-list extended "A ACL OUT"permit ip any 172.16.16.0 0.0.15.255deny ip any anyWhen adding these ACLs to VE 10:
interface ve 10 ip access-group "A ACL IN" ininterface ve 10 ip access-group "A ACL OUT" outSuddenly VLAN 10 can't access anything on VLAN 20 and vice versa. Can anyone see what I'm doing wrong here?
ICX Switch line was acquired by Ruckus, please post your question on their Ruckus Community