Policy to deny access to internal networks but allow access externally not working

  • 21 May 2018
  • 5 replies
  • 1023 views

Userlevel 3
Working with Exos, S-series router and Policy Manager.

Currently working with a customer, and I've setup a policy to deny 10.0.0.0/8 but allow 10.0.0.0/24. Precedence shows this should work. I also have allow DNS, DHCP and ARP. In the past with EOS, allow ARP allows the workstation to access the network via the gateway. I believe the workstation just arps up its gateway and uses the mac address for network access. I can't get that to work on EXOS. I've setup a rule to allow to the mac address of the s-series and that works, however I'm able to access everything on the 10 network that I've setup as a deny. Same result when I just allow the IP address of the gateway of the workstation (10.190.0.1). Has anybody setup this type of scenario with EXOS? I've got a case open, and they are looking at the switching side of things being the cause. I've upgraded to the latest code on the EXOS and still doesn't work. Just seeing if anybody else has run into this before and if there is a solution before I go down the ACL road. Thanks.

5 replies

Userlevel 2
Hi Brian, could you share the ACL that you have applied. #show policy
Userlevel 3
I don't have ACLs currently in place. That is probably the solution I'll have to go with, unfortunately. Haven't heard any progress from GTAC side yet.
Userlevel 3
FYI, received a response from GTAC, v22.5.1.7 is supposed to work. I haven't had a chance to test yet.

We are on v22.6.1.4-patch 1.  Trying to get the same sort of policy set up that allows PCs to get to the internet but not the internal networks (for some IoT types).  This thread looked promising but there is no solution posted.  Did you ever get this to work?  If so - please share :grin:

 

Userlevel 3

Not sure. The customer never got back with me on the test switch we were working with. However GTAC had tested with the updated firmware successfully.  Sometimes the firmware bug fixes don’t make it across firmware forks immediately. I would try the 22.5.1.7 latest patch and see if that works for you.

On your policy I would block all internal network access and just allow ports such as DHCP and DNS, that should get you internet access without internal access. 

Reply