Lan No Wan

enable conf t


 * 1) create a new ip ACL called nowan

ip access-list extended nowan


 * 1) start adding rules, in this order. Order of these commands matters!
 * 2) this assumes your local subnet is 192.168.1.0/24 & the drac IP is 192.168.1.199
 * 3) replace the IP in each command with the IP of your drac

permit ip host 192.168.1.199 192.168.1.0/24 deny ip host 192.168.1.199 any
 * 1) only allow traffic FROM drac IP if it's to local subnet

permit ip 192.168.1.0/24 host 192.168.1.199 deny ip any host 192.168.1.199
 * 1) only allow traffic TO drac IP if it's from local subnet

permit ip any any exit
 * 1) finally, let everything else through as normal and exit ACL config

int ve 1 ip access-group nowan in exit write mem
 * 1) apply the rule list to the VE 1 interface, in the inbound direction (from the pov of the VE int)

You should now still be able to access your DRAC from local machines in the same subnet, but the DRAC can't talk to the internet, and the internet can't talk to it.

In an ACL list, packets come into the switch, and it attempts to match the packet to rules in the list one by one, starting at the top. The first rule it matches, it does what that rules says (allow or deny)

In the ACL rule entry, the first ip/host is the packet source, and the second is the packet destination.

So let's say your DRAC tries to ping a local machine of 192.168.1.5. The switch will start trying to match it in our list of rules, starting at the top:

(action)         (source)     (destination)

permit ip host 192.168.1.199 192.168.1.0/24 deny ip host 192.168.1.199 any permit ip 192.168.1.0/24 host 192.168.1.199 deny ip any host 192.168.1.199 permit ip any any

the first rule matches any packet with a source of 192.168.1.199 (the drac IP) and a destination of any IP in the subnet (like the 192.168.1.5 you're pinging), so the packet gets matched to this first rule. The rule is a "permit" so the switch lets the traffic through

Now let's say the DRAC tries to ping an internet IP of 8.8.8.8 - it won't match the first rule, because the destination of the packet is outside the specified subnet. It will however get matched to the second rule, because the packet SOURCE is still the DRAC IP, and now the packet destination of 8.8.8.8 matches the "destination any" of the second rule. This rule is a deny, so the packet gets dropped.

The next 2 rules are essentially the same, but blocking traffic in the other direction - external IP's trying to get to the DRAC

Finally, for regular traffic, it won't match any of the first 4 rules because it does not have a destination or source of the DRAC IP, so it matches the last rule, which is a permit

The "ip access-group nowan in" applies that list to the VE 1 interface on the IN direction - you can also apply ACL's to interfaces on outbound, but depending on your ACL rule types, they might need to be flipped around, since the VE will now be matching traffic from it's outbound point of view. It's typically best practice to do what you can to keep ACL's on inbound only - for a few reasons, a big one being the packets get dropped before they make the ASIC work to do forwarding & routing lookups, etc. This doesn't matter at all in typical applications, but if you start to push the linerate of an ASIC it can start to save a little capacity. As long as all your traffic is going through the VE (or whatever interface) in one way or another, you can usually accomplish whatever you need on inbound only