ExtremeSwitching (EXOS)

  • 1.  Allow DHCP and DNS through ACL for vLans

    Posted 05-03-2016 15:49
    I have 4 vlans:
    Uplink, Mobile, Portal, NAT

    The Nat is the location of my DHCP and DNS server.

    I want to create ACL Policies that keep vlans Mobile, Protal, and Nat from talking to each other, but if I do, it breaks Portal and Mobile clients from getting DHCP.

    Can I create ACL policies to block all traffic but DHCP and DNS from Portal and Mobile from the NAT vlan.

    Sidenote, all need to be allowed through uplink.

    Thanks


  • 2.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-03-2016 18:06
    Please send a "show VLAN". Thanks.


  • 3.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-03-2016 18:06
    Total
    -----------------------------------------------------------------------------------------------
    Nat 1 10.80.100.3 /22 -f----------T---------------- ANY 17/33 VR-Default
    DIS-Uplink 201 192.168.100.1 /30 -f--------------------------- ANY 1 /1 VR-Default
    JCSD-Mobile 20 10.20.100.3 /22 -f--------------------------- ANY 8 /8 VR-Default
    Mgmt 4095 ------------------------------------------------- ANY 0 /1 VR-Mgmt
    User-Portal 25 10.25.100.3 /22 -f--------------------------- ANY 8 /8 VR-Default
    -----------------------------------------------------------------------------------------------



  • 4.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-03-2016 19:18
    So, I got pulled into something else and haven't had a chance to test this, but you could try this configuration below. I think the permit to dhcp ACL applied to the Mobile and Portal VLANs ingress should not be necessary (as it would be a broadcast destined to the gateway which would then, assuming you have bootprelay configured -- you do need to do that -- be directed by the switch to the dhcp server in the Nat VLAN) but it is not going to hurt. Again, I haven't tested this, so test it before deploying it in production please.

    create access-list denytoNat "destination-address 10.80.100.0/22" "deny"create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
    create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"
    create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
    create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
    create access-list permfromdns "protocol udp; source-port 53" "permit"
    create access-list permfromdhcp "protocol udp; source-port 67" "permit"

    config access-list add denytoMobile last vlan Nat ingress
    config access-list add denytoPortal last vlan Nat ingress
    config access-list add permfromdns first vlan Nat ingress
    config access-list add permfromdhcp first vlan Nat ingress

    config access-list add denytoNat last vlan JCSD-Mobile ingress
    config access-list add denytoPortal last vlan JCSD-Mobile ingress
    config access-list add permtodns first vlan JCSD-Mobile ingress
    config access-list add permtodhcp first vlan JCSD-Mobile ingress

    config access-list add denytoNat last vlan User-Portal ingress
    config access-list add denytoMobile last vlan User-Portal ingress
    config access-list add permtodns first vlan User-Portal ingress
    config access-list add permtodhcp first vlan User-Portal ingress


  • 5.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-04-2016 11:25
    Ok, I tried it and it all worked like it should!! Awesome. Now What if I had a printer on JCSD-Mobile vLan that i needed the Nat vLan to be able to print to? the Ip address of said printer is 10.20.100.181/22? I am also going to have a vLan for our new camera system that I don't want to have access to the internet. it will be called Cameras and will have an ip range of 10.30.100.0/22. I think I can figure out how to add it from above, but I don't want it to be able to go out the uplink vLan. This is what I have now....

    create access-list denytoNat "destination-address 10.80.100.0/22" "deny"

    create access-list denytoMobile "destination-address 10.20.100.0/22" "deny"
    create access-list denytoPortal "destination-address 10.25.100.0/22" "deny"

    create access-list denytoCameras "destination-address 10.30.100.0/22" "deny"


    create access-list permtodns "destination-address 10.80.100.0/22; protocol udp; destination-port 53" "permit"
    create access-list permtodhcp "destination-address 10.80.100.0/22; protocol udp; destination-port 67" "permit"
    create access-list permfromdns "protocol udp; source-port 53" "permit"
    create access-list permfromdhcp "protocol udp; source-port 67" "permit"



    Nat vLan
    config access-list add denytoMobile last vlan Nat ingress
    config access-list add denytoPortal last vlan Nat ingress

    config access-list add denytoCameras last vlan Nat ingress
    config access-list add permfromdns first vlan Nat ingress
    config access-list add permfromdhcp first vlan Nat ingress

    JCSD-Mobile vLan

    config access-list add denytoNat last vlan JCSD-Mobile ingress
    config access-list add denytoPortal last vlan JCSD-Mobile ingress

    config access-list add denytoCameras last vlan JCSD-Mobile ingress
    config access-list add permtodns first vlan JCSD-Mobile ingress
    config access-list add permtodhcp first vlan JCSD-Mobile ingress

    User-Portal vLan

    config access-list add denytoNat last vlan User-Portal ingress
    config access-list add denytoMobile last vlan User-Portal ingress

    config access-list add denytoCameras last vlan User-Portal ingress
    config access-list add permtodns first vlan User-Portal ingress
    config access-list add permtodhcp first vlan User-Portal ingress



    Cameras vLan

    config access-list add denytoNat last vlan Cameras ingress
    config access-list add denytoMobile last vlan Cameras ingress

    config access-list add denytoPortal last vlan Cameras ingress
    config access-list add permtodns first vlan Cameras ingress
    config access-list add permtodhcp first vlan Cameras ingress





  • 6.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-04-2016 11:25
    This configuration still allows devices in Cameras to DIS-Uplink, which I can only assume is the means to the internet. If I understand you correctly you want devices in Cameras to only be able to reach themselves, DNS, and DHCP. For this I would do something like:

    create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"

    create access-list dall " " "deny"

    config access-list add inCameras first vlan Cameras ingress
    config access-list add permtodns last vlan Cameras ingress
    config access-list add dall last vlan Cameras ingress

    Notice I did not use permtodhcp. I did some testing, and with DHCP relay properly configured, you should not have to use permtodhcp at all on any VLAN. (you still need permfromdchp).

    Now with respect to the printer, I forget my printer protocols, but you should be able to get by with this broader permit:

    create access-list permtoprinter "destination-address 10.20.100.181/32" "permit"

    Then add the permtoprinter access-list first to all VLANs ingress.

    Then:

    create access-list permfromprinter "source-address 10.20.100.181/32" "permit"

    config access-list add permfromprinter first JCSD-Mobile ingress



  • 7.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-04-2016 11:25
    Obviously, you may want to refine the permfrom/toprinter ACL lines to include protocol and source/destination port-number for the printer protocol.


  • 8.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-04-2016 11:25
    Would this (
    create access-list inCameras "source-address 10.30.100.0/22; destination-address 10.30.100.0/22"

    create access-list dall " " "deny"

    config access-list add inCameras first vlan Cameras ingress
    config access-list add permtodns last vlan Cameras ingress
    config access-list add dall last vlan Cameras ingress)
    keep camera vlan from talking with all other vlans. I would want them on their own completely.



  • 9.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-04-2016 11:25
    That was the intention. But I should have added a line allowing ARPs and Broadcasts.

    create access-list pbcast "ethernet-destination-address ff:ff:ff:ff:ff:ff" "permit"
    create access-list parp "ethernet-type 0x0806" "permit"

    config access-list add pbcast first vlan Cameras ingress
    config access-list add parp first vlan Cameras ingress

    Sorry about that. Again, you want to test all of this in a lab or on a lab switch.


  • 10.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-04-2016 11:25
    This has all worked great. I can't test the camera's as I don't have the system installed yet, but I have stored all this information. Thanks to you I now have my network segregated like it is supposed to be. I am going to throw one more at you. What if you wanted to deny traffic to and from a public ip like say google's 8.8.8.8... Im just using that as an example but what if you did?



  • 11.  RE: Allow DHCP and DNS through ACL for vLans

    Posted 05-04-2016 11:25
    You would simply create a deny line for that particular address and then apply it to the VLANs which have internet access, for example:

    create access-list deny8888 "destination-address 8.8.8.8/32" "deny"

    config access-list add deny8888 first vlan {VLAN} ingress