ACL conversion sanity check please.

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
I'm new to Extreme core switches, I've used their edge products for years but usually in one off iSCSI deployments or more recently for limited AVB deployments.

We're replacing our HP Procurve cores with 8810s and I 'd like someone to take a quick look at this ACL I'm converting and point out anything I'm missing, this is my first time dealing with Extreme's ACL usage.

We have a learning center that needs access to internal DNS, KMS and then access to the internet, while blocking access to all other internal corporate resources.

Here's the HP ACL:
ip access-list extended "100"
10 permit tcp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 eq 1688 10 remark "Allow LC to KMS server on DC2" 20 permit tcp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 20 remark "Allow LC to tcp DNS on DC1" 30 permit udp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 30 remark "Allow LC to udp DNS on DC1" 40 permit icmp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 40 remark "Allow ping to DC2 LC" 50 permit icmp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 50 remark "Allow ping to DC1 from LC" 60 permit ip 172.17.0.0 0.0.255.255 172.16.0.249 0.0.0.0 60 remark "Allow LC to Fortigate internal" 80 deny ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255 80 remark "Block LC from local corp network" 90 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255 90 remark "Block LC from remote corp networks" 110 permit ip 172.17.0.0 0.0.255.255 0.0.0.0 255.255.255.255 110 remark "Allow LC out to the internet" exit
and here's the Extreme version, which is think is right:

entry permit_ICMP_dc1 {
	if match all {
			source-address 		172.17.0.0/16;
			protocol 		ICMP;
			destination-address	172.16.5.55/32;
		} then {
			permit;
		}
	}
entry permit_ICMP_dc2 {
	if match all {
			source-address 		172.17.0.0/16;
			protocol 		ICMP;
			destination-address	172.16.5.40/32;
		} then {
			permit;
		}
	}
entry permit_TCPDNS_dc1 {
	if match all { 
			source-address 		172.17.0.0/16;
			protocol 		TCP;
			destination-address	172.16.5.55/32;
			destination-port	        53;
		} then {
			permit;
		}
	}
entry permit_TCPDNS_dc2 {
	if match all { 
			source-address 		172.17.0.0/16;
			protocol 		TCP;
			destination-address	172.16.5.40/32;
			destination-port	        53;
		} then {
			permit;
		}
	}
entry permit_UDPDNS_dc1 {
	if match all { 
			source-address 		172.17.0.0/16;
			protocol 		UDP;
			destination-address	172.16.5.55/32;
			destination-port	        53;
		} then {
			permit;
		}
	}
entry permit_UDPDNS_dc2 {
	if match all { 
			source-address 		172.17.0.0/16;
			protocol 		UDP;
			destination-address	172.16.5.40/32;
			destination-port	        53;
		} then {
			permit;
		}
	}
entry permit_KMS_dc2 {
	if match all {
			source-address 		172.17.0.0/16;
			protocol 		TCP;
			destination-address	172.16.5.40/32;
			destination-port	        1688;
		} then {
			permit;
		}
	}
entry permit_IP_FG600C {
	if match all {
			source-address 		172.17.0.0/16;
			protocol 		IP;
			destination-address	172.16.0.249/32;
		} then {
			permit;
		}
	}
entry deny_LC_localcorp {
	if match all {
			source-address		172.17.0.0/16;
			protocol 		IP;
			destination-address	172.16.0.0/16;
		} then {
			deny;
		}
	}
entry deny_LC_remotecorp {
	if match all {
			source-address		172.17.0.0/16;
			protocol 		IP;
			destination-address	10.0.0.0/8;
		} then {
			deny;
		}
	}
entry permit_LC_internet {
	if match all {
			source-address		172.17.0.0/16;
			protocol 		IP;
			destination-address	0.0.0.0/0;
		} then {
			permit;
		}
	}

Did I miss anything?  Will this work ok?

Thanks!
Photo of Ron Prague

Ron Prague

  • 742 Points 500 badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey Ron

At first pass I would say you got it all right.  One suggestion I would make is to add a counter to each ACL statement so that you can see if traffic is hitting it.  It is good for troubleshooting the policy.  Just add count <counter name>;

Also remember that we look at ACLs on Ingress by default so when you assign this policy remember that to make sure your traffic pattern is in the direction of the Source/Destinatin IP or Port number.  Lastly we have an implicit permit so if you do not deny we will forward.

Let us know how it goes.

P
Photo of Ron Prague

Ron Prague

  • 742 Points 500 badge 2x thumb
This is how the ACL is applied (on both core switches):
configure access-list learningcenter vlan "LC" ingress


One more thing, the final statement:
entry permit_LC_internet {
	if match all {
		source-address		172.17.0.0/16;
		destination-address	0.0.0.0/0;
	} then {
		permit;
	}
}

Isn't necessary then because there is an implicit permit at the end of the ACL?

Extreme ACLs are still done top-down processing I assume?
(Edited)
Photo of Andrew Maldonado

Andrew Maldonado, Extreme Alumnus

  • 2,302 Points 2k badge 2x thumb
Ron,

"IP" is an invalid protocol match condition. Once removing protocol IP as a match condition from the last 4 entries the policy check cleared.

After creating the policy file the "check policy <policy_name>" command can be used to verify the syntax is correct.

Please let me know if there are any questions or concerns.


Andrew
Photo of Ron Prague

Ron Prague

  • 742 Points 500 badge 2x thumb
Thanks Andrew, I found that out about an hour after I posted this by using the check policy command.
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
I may be wrong but if you just use
entry permit_ICMP_dc1 {
    if match all {
            source-address         172.17.0.0/16;
            protocol         ICMP;
            destination-address    172.16.5.55/32;
        } then {
            permit;
        }
    }
and then end with a  "permit all" entry
entry permit_LC_internet {
    if match all {
        source-address        172.17.0.0/16;
        destination-address    0.0.0.0/0;
    } then {
        permit;
    }
}
then the first entry is unneccessary.

After all, without it, the ICMP traffic would have still been permited by the last "permit" rule (either explicit or implicit).

If you want to allow ONLY ICMP traffic to 172.16.5.55/32, you need to add a "deny rule" that blocks all other traffic to that IP address AFTER the "permit rule"...

entry permit_ICMP_dc1 {
    if match all {
            source-address         172.17.0.0/16;
            protocol         ICMP;
            destination-address    172.16.5.55/32;
        } then {
            permit;
        }
    }
entry deny_All_dc1 {
    if match all {
            destination-address    172.16.5.55/32;
        } then {
            deny;
        }
    }


This should be repeated for every entry.

Permit certain traffic to destination A, then deny other traffic to destination A. Repeat for B, C, D, etc., then, permit the rest...

Or am I missing something?
Photo of Ron Prague

Ron Prague

  • 742 Points 500 badge 2x thumb
There's an entry in the middle that denies all traffic from 172.17.0.0/16 to 172.16.0.0/16, except for the rules we matched earlier (DNS, ICMP and KMS)

entry deny_LC_localcorp {
	if match all {
			source-address		172.17.0.0/16;
			destination-address	172.16.0.0/16;
		} then {
			deny;
		}
	}
Photo of Daniel Flouret

Daniel Flouret, Employee

  • 7,470 Points 5k badge 2x thumb
Great! So I DID miss something...

They say it's better to ask and look stupid than to remain silent and be a stupid for the rest of your life.... Hahaha
Photo of Ron Prague

Ron Prague

  • 742 Points 500 badge 2x thumb
IT was a fair question.  I'm still wrapping my head around the fact that extreme has an implicit permit at the end of their ACLs.  That freaks me out :p
Photo of eyeV

eyeV

  • 2,484 Points 2k badge 2x thumb
It strange, yes. But you slowly get used to it. )