ExtremeSwitching (EXOS)

 View Only

 Troubleshoot an RDP ACL

Abhishek Potdar's profile image
Abhishek Potdar posted 05-11-2022 01:16
Hello All,

I am trying to create an ACL where certain subnets can RDP "port 3389" into a different subnet's hosts. While other devices can't RDP to that certain subnet. I am pasting the ACL, I have created. Basically, 10.8.7.X subnet should be able to RDP into 10.18.111.X subnet using port 3389. while other subnets should get denied.
I have applied the policy to the uplink port along with the 10.18.111.X vlan but with no luck, seems like the policy is ignoring my deny rules. What am I missing here? 

Policies at Policy Server:
Policy: rdp
entry RDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
}
}
Number of clients bound to policy: 1
Client: acl bound once
Christopher Thompson's profile image
Christopher Thompson
Hi,

Can you apply counters to both ACLs and then "refresh policy <policy name>"?

That will see which rule they are hitting.  ACLs are done in hardware so generally we see that the traffic isn't flowing how we think it is rather then ACLs ignoring entries/deny statements.

Thanks,
Chris Thompson
Abhishek Potdar's profile image
Abhishek Potdar
Updated the policy to add counters 
entry rDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
count allow_acl ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
count deny_acl ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

Applied the policy to any port any vlan yet the counter number is not increasing?

DR-Core.4 # show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
* * rdp ingress 2 0
* * rdp egress 2 0

DR-Core.4 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
rdp * * ingress
allow_acl 0
deny_acl 0


Adrian Orellana's profile image
Adrian Orellana
I don´t think that "source-port tcp;" is correct. With the "protocol tcp;" condition is sufficient.
Gabriel_G's profile image
Gabriel_G
Hello,

source-port tcp is not a valid match condition. You can find all possible match conditions and their inputs in the EXOS User Guide page 769:
https://documentation.extremenetworks.com/exos_31.7/downloads/EXOS_User_Guide_31.7.pdf