help creating "allow" rule via switch ACL

cbc02009 · July 24, 2024, 5:33pm

Hello,

I have a CRS317 I am using as a backbone switch, and I am trying to move some inter-vlan traffic off my poor router using switch ACLs for inter-vlan routing. I was hoping someone could help me come up with an “allow” rule to allow DHCP requests and responses from my TRUSTED network (VLAN ID 10 CIDR 10.0.1.0/24) to my SERVER network (VLAN ID 20 CIDR 10.0.2.0/24).

Although now that I think about this, it might not actually work since there’s no equivalent to “accept established”, right? I was hoping to also use this to keep things like SMB traffic off my router. If switch ACLs aren’t the right tool for this job is there any other way to do it? Can I do full routing between vlans on the switch without a significant performance hit?

Thanks!

mkx · July 24, 2024, 5:39pm

Your CRS supports L3HW offloading pretty good. You might want to turn it into a speedy router, it can offload fasttracked connections so you can use “normal” IP firewall as well, with some decent rules it could do wirespeed routing (yup, 10Gbps).

You can use CRS as your core router and use your current router as your border router (carrying only internet-bound traffic and performing NAT etc.)

cbc02009 · July 26, 2024, 2:23pm

Okay, sounds like switch ACLs aren’t quite what I’m looking for then. Maybe I will do some routing tests on the CRS then and see what happens. Thanks!

EDIT: Everything I’m seeing on the web says that routing on the CRS317 is ~1Gbps. Has that changed recently?

anav · July 26, 2024, 3:04pm

According to specs, with 25 filter rules, assuming acting as a router, expect routing throughput of approx 400Mbps.

What you need is to figure out is what throughput is the one that concerns you the most

a. users to internet - goes through router
b. users from vlanA to vlanB - goes through router
c. users on vlanA to users on vlan A - switch only

It would appear to me the focus should be replacing your router.

rplant · July 28, 2024, 11:19am

You could set it up with the CRS317 as the gateway for both VlanA and VlanB

The CRS ROUTES packets from vlanA and vlanB to the router.
(and between vlan A and vlan B)

No firewall rules needed on CRS for internet traffic, so should be
L3WH offloaded, (with very few if any ACL’s)

Rules/ACLs, mostly for limiting traffic between vlan A and vlan B.

rplant · July 28, 2024, 11:31am

You can probably enable dhcp relay on the appropriate switch vlans.
And have your dhcp server managing the vlan (remotely).