Layer 3 Switch Guest VLAN ACLs

20 Jul 2019

I use ACLs on my Brocade L3 switch to control access to other VLANs and access to the internet.

The ACL rules are evaluated from the perspective of the ve that’s on the VLAN. So for devices on that VLAN transmitting traffic out, it’s considered “in” on the ve interface on the L3 switch. I like to name my ACL rules as “VLANx out” to make this more clear.

On VLAN40 (my guest VLAN 10.1.40.0/24), I have my L3 switch as 10.1.40.1, my DHCP server is at 10.1.1.21, and my DNS server is also at 10.1.1.21.

no ip access-list extended "VLAN40 out"
ip access-list extended "VLAN40 out"
remark Block all access to the switch's ve interface
deny tcp any host 10.1.40.1 eq ssh
deny tcp any host 10.1.40.1 eq telnet
deny tcp any host 10.1.40.1 eq http
deny tcp any host 10.1.40.1 eq 443
remark allow hosts on the subnet to reach dhcp server
permit udp any any eq bootps
permit udp 10.1.40.0 0.0.0.255 host 10.1.1.21 eq bootpc
remark allow hosts on the subnet to do dns lookups
permit udp any 10.1.1.21 0.0.0.0 eq dns
permit tcp any 10.1.1.21 0.0.0.0 eq dns
remark allow hosts on the subnet to ping the dns server for debugging purposes
permit icmp any host 10.1.1.21 echo
remark allow other vlans to access hosts on this network
permit tcp any any gt 1023 established
remark allow access to this host on this vlan specifically
permit tcp any host 10.1.40.18 eq http
permit tcp any host 10.1.40.18 eq 443
remark block outbound access to all local VLANs
deny ip any 10.1.0.0 0.0.255.255
remark allow internet 
permit ip any any
interface ve 40
ip access-group "VLAN40 out" in

Justin Ho

Layer 3 Switch Guest VLAN ACLs

Related Posts

Step-by-step VyOS Wireguard Configuration 07 Aug 2023

Factory Resetting Alphasmart Neo 13 May 2023

Powering devices with standard USB-C power supplies: Polycom Poly Studio Premium USB Video Bar, Dell Optiplex 5090 Micro 14 Apr 2023