1 Rookie
•
46 Posts
0
42
May 9th, 2025 19:40
Possible upgrade of wild card ACL options for consideration
Just a suggestion maybe for future switches.
ACL Syntax including referencing VLan Subnets in ACLs
RFC711 section 3.2 and RFC1122 section 3.2.1.3 indicate 0.0.0.0/8 stands for this network and 0.0.0.0/32 stands for this host respectively. Does this also mean 0.?.?.? is an otherwise invalid internet address? If so; should the switch designers (your staff) consider what I am naming a VLan double wildcard address.
```
In this example network (? is 1-8 respectively below)
VLan1-8 has an OPNsense router with interfaces addressed 192.168.?.1
VLan 1-8 has N2024 switch with interfaces addressed 192.168.?.2
0.0.0.0/0.0.0.0 would be 192.168.?.2 the invoking VLan interface address
0.0.0.0/0.0.0.255 would be 192.168.?.{0-255} the entire invoking VLan subnet
0.0.0.0/0.0.0.127 would be 192.168.?.{0-127} the non-user devices in the invoking VLan subnet
0.0.0.128/0.0.0.127 would be 192.168.?.(128-255) the user devices in the invoking Vlan subnet
```
If this is implemented the following changes to my ACLs is possible:
BEFORE
ip access-list acl4VLan2_P520_Local
520000000 permit ip 192.168.2.0 0.0.0.255 192.168.2.0 0.0.0.255
exit
ip access-list acl4VLan3_P530_Loca
l530000000 permit ip 192.168.3.0 0.0.0.255 192.168.3.0 0.0.0.255
exit
ip access-list acl4VLan4_P540_Local
540000000 permit ip 192.168.4.0 0.0.0.255 192.168.4.0 0.0.0.255
exit
ip access-list acl4VLan5_P550_Local
550000000 permit ip 192.168.5.0 0.0.0.127 192.168.5.0 0.0.0.255
550128000 permit ip 192.168.5.128 0.0.0.127 192.168.5.0 0.0.0.255 time-range permitChild
exit
ip access-list acl4VLan6_P560_Local
560000000 permit ip 192.168.6.0 0.0.0.127 192.168.6.0 0.0.0.255
560128000 permit ip 192.168.6.128 0.0.0.127 192.168.6.0 0.0.0.127 time-range permitChild
exit
ip access-list acl4VLan7_P570_Local
570000000 permit ip 192.168.7.0 0.0.0.255 192.168.7.0 0.0.0.255
exitAFTER
ip access-list acl4VLan0_P500_Local
500000000 permit ip 0.0.0.0 0.0.0.255 0.0.0.0 0.0.0.255
exit
ip access-list acl4VLan5_P550_Local
550000000 permit ip 0.0.0.0 0.0.0.127 0.0.0.0 0.0.0.255
550128000 permit ip 0.0.0.128 0.0.0.127 0.0.0.0 0.0.0.255 time-range permitChild
exit
ip access-list acl4VLan6_P560_Local
550000000 permit ip 0.0.0.0 0.0.0.127 0.0.0.0 0.0.0.255
560128000 permit ip 0.0.0.128 0.0.0.127 0.0.0.0 0.0.0.127 time-range permitChild
exit6 ACLS becoming 3 with the same 6 associated binds does save a few resources
savings may well increase when special crossVLan rules are added
acl4VLan0_P500_Local is bound to VLans 2, 3, 4, 7
acl4VLan5_P550_Local is boumd to VLan5
acl4VLan5_P560_Local is boumd to VLan6Consider also the following:
BEFORE
ip access-list acl4VLan2_P720_InternetIN
720000000 permit ip any 192.168.2.0 0.0.0.255
exit
ip access-list acl4VLan3_P730_InternetIN
730000000 permit ip any 192.168.3.0 0.0.0.255
exit
ip access-list acl4VLan4_P740_InternetIN
740000000 permit ip any 192.168.4.0 0.0.0.255
exit
ip access-list acl4VLan5_P750_InternetIN
750000000 permit ip any 192.168.5.0 0.0.0.127
750128000 permit ip any 192.168.5.128 0.0.0.127 time-range permitChild
exit
ip access-list acl4VLan6_P760_InternetIN
760000000 permit ip any 192.168.6.0 0.0.0.127
760128000 permit ip any 192.168.6.128 0.0.0.127 time-range permitChild
exit
ip access-list acl4VLan7_P770_InternetIN
770000000 permit ip any 192.168.7.0 0.0.0.255
exit
ip access-list acl4VLan8_P780_InternetIN
780000000 permit ip any 192.168.8.0 0.0.0.255
exit
ip access-list acl4VLan9_P790_DenyPrivateOUT
790192168 deny ip any 192.168.0.0 0.0.255.255
exit
ip access-list acl4VLan2_P920_InternetOUT
920000000 permit ip 192.168.2.0 0.0.0.255 any
exit
ip access-list acl4VLan3_P930_InternetOUT
930000000 permit ip 192.168.3.0 0.0.0.255 any
exit
ip access-list acl4VLan4_P940_InternetOUT
940000000 permit ip 192.168.4.0 0.0.0.255 any
exit
ip access-list acl4VLan5_P950_InternetOUT
950000000 permit ip 192.168.5.0 0.0.0.127 any
950128000 permit ip 192.168.5.128 0.0.0.127 any time-range permitChild
exit
ip access-list acl4VLan6_P960_InternetOUT
960000000 permit ip 192.168.6.0 0.0.0.127 any
960128000 permit ip 192.168.6.128 0.0.0.127 any time-range permitChild
exit
ip access-list acl4VLan7_P970_InternetOUT
970000000 permit ip 192.168.7.0 0.0.0.255 any
exit
ip access-list acl4VLan8_P980_InternetOUT
980000000 permit ip 192.168.8.0 0.0.0.255 any
exitAFTER
ip access-list acl4VLan0_P700_Internet
700000000 permit ip any 0.0.0.0 0.0.0.255
790192168 deny ip any 0.0.0.0 0.0.0.255
900000000 permit ip 0.0.0.0 0.0.0.255 any
exit
ip access-list acl4VLan0_P705_Internet
705000000 permit ip any 0.0.0.0 0.0.0.127
705128000 permit ip any 0.0.0.128 0.0.0.127 time-range permitChild
790192168 deny ip any 0.0.0.0 0.0.0.255
900000000 permit ip 0.0.0.0 0.0.0.255 any
exit15 access-lists 21 rules and 21 binds replaced by 2 access-lists 7 rules (5 unique) and 7the binds represents significant savings.
AND rule "790192168 deny ip any 0.0.0.0 0.0.0.255" has fewer potential matches
NOTE in the above examples following the construct that access-lists can be bound to multiple vlans consider also allowing rules to be bound to multiple access lists
In the immediately preceeding two access-lists rules 790192168 and 900000000 are reused in both access lists and in acl4VLan0_P5?0 above rule 550000000 is reused
DELL-Erman O
Moderator
•
2.8K Posts
0
May 12th, 2025 08:17
Hello, Your idea of using a VLan double wildcard address in ACLs to make things easier is really cool. By using addresses like
0.0.0.0/0.0.0.255to cover ranges within a VLan, you can reduce the number of specific entries needed. This could save resources and make management simpler. Just remember, it needs to be compatible with your network devices and tested for security. Great suggestion! 👍I can't give specific configuration support, but I hope this helps!
pasha_19
1 Rookie
•
46 Posts
0
May 14th, 2025 02:22
Whether or not we ever get to use that feature is up to those designing switch software. Thanks for the positive feedback.