ExtremeSwitching (EXOS)

 View Only
  • 1.  ACL

    Posted 09-27-2018 15:31

    We don't allow non-company owned assets from connecting to our network, but have a need to allow a vendor to connect to our network for the purpose of managing our phone system. When we had our Cisco switches, I would allow access to that subnet but then block all RFC1819 addresses. I'm having trouble doing that with our new Summit switches.

    I used the following as a guide to build my configuration as such.

    entry PermitVendor {
    if match all {
    destination-address ;
    then {
    permit ;
    entry DenyRFC1817 {
    if match any {
    destination-address ;
    destination-address ;
    destination-address ;
    then {
    deny ;

    This policy doesn't work- there are 2 issues.

    First, this policy doesn't pass muster because it has multiple destination-address statement. How can I use as few lines of code to achieve my goals of denying all private address communications.

    Secondly, if I tell it to block my permit policy from above doesn't work. It works if I deny to I can only assume that I'm permitting the but then immediately denying it with the

    Third, I didn't outline here but I need them to get to the Internet which means they need to use my internal DNS. So I need to create another rule that will allow port 53 traffic to my DNS hosts.


  • 2.  RE: ACL

    Posted 09-27-2018 15:55
    For your first question, you'll need to split all the RFC 1918 subnets into separate entries. For example:
    entry PermitVendor { if { destination-address ; } then { permit ; } } entry Deny192{ if { destination-address ; } then { deny ; } } entry Deny172{ if { destination-address ; } then { deny ; } } entry Deny10{ if { destination-address ; } then { deny ; } }[/code]
    For your second question, it should work as long as you have the more specific permit before more general deny. The third point is the same, just make sure the port 53 permit is before the denies.

  • 3.  RE: ACL

    Posted 09-27-2018 17:39
    Ok, I suspected as much. I've done this but noticed a few things. I can still ping devices on my subnet and somehow DNS is still working while it is looking to servers in the 192.168.1.x subnet.

    I've confirmed I can't get pull up web pages or even RDP into devices on the 192.168.1.x subnet. Why do some things seem to work without an implicit allow? I'd prefer nothing work without a deny.

    I'm applying the this ACL to a specific port as an ingress (I also tried as egress just for the fun of it).

    Side note (should anyone else come after me), I found this useful: https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/Python/IOStoPolicy