cancel
Showing results for 
Search instead for 
Did you mean: 

ACL conversion sanity check please.

ACL conversion sanity check please.

Ron_Prague
New Contributor II
I'm new to Extreme core switches, I've used their edge products for years but usually in one off iSCSI deployments or more recently for limited AVB deployments.

We're replacing our HP Procurve cores with 8810s and I 'd like someone to take a quick look at this ACL I'm converting and point out anything I'm missing, this is my first time dealing with Extreme's ACL usage.

We have a learning center that needs access to internal DNS, KMS and then access to the internet, while blocking access to all other internal corporate resources.

Here's the HP ACL:
ip access-list extended "100"
10 permit tcp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 eq 1688 10 remark "Allow LC to KMS server on DC2" 20 permit tcp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 20 remark "Allow LC to tcp DNS on DC1" 30 permit udp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 30 remark "Allow LC to udp DNS on DC1" 40 permit icmp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 40 remark "Allow ping to DC2 LC" 50 permit icmp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 50 remark "Allow ping to DC1 from LC" 60 permit ip 172.17.0.0 0.0.255.255 172.16.0.249 0.0.0.0 60 remark "Allow LC to Fortigate internal" 80 deny ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255 80 remark "Block LC from local corp network" 90 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255 90 remark "Block LC from remote corp networks" 110 permit ip 172.17.0.0 0.0.255.255 0.0.0.0 255.255.255.255 110 remark "Allow LC out to the internet" exit
and here's the Extreme version, which is think is right:

entry permit_ICMP_dc1 { if match all { source-address 172.17.0.0/16; protocol ICMP; destination-address 172.16.5.55/32; } then { permit; } } entry permit_ICMP_dc2 { if match all { source-address 172.17.0.0/16; protocol ICMP; destination-address 172.16.5.40/32; } then { permit; } } entry permit_TCPDNS_dc1 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.55/32; destination-port 53; } then { permit; } } entry permit_TCPDNS_dc2 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.40/32; destination-port 53; } then { permit; } } entry permit_UDPDNS_dc1 { if match all { source-address 172.17.0.0/16; protocol UDP; destination-address 172.16.5.55/32; destination-port 53; } then { permit; } } entry permit_UDPDNS_dc2 { if match all { source-address 172.17.0.0/16; protocol UDP; destination-address 172.16.5.40/32; destination-port 53; } then { permit; } } entry permit_KMS_dc2 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.40/32; destination-port 1688; } then { permit; } } entry permit_IP_FG600C { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 172.16.0.249/32; } then { permit; } } entry deny_LC_localcorp { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 172.16.0.0/16; } then { deny; } } entry deny_LC_remotecorp { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 10.0.0.0/8; } then { deny; } } entry permit_LC_internet { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 0.0.0.0/0; } then { permit; } }
Did I miss anything? Will this work ok?

Thanks!
9 REPLIES 9

dflouret
Extreme Employee
I may be wrong but if you just use
entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
and then end with a "permit all" entry
entry permit_LC_internet {
if match all {
source-address 172.17.0.0/16;
destination-address 0.0.0.0/0;
} then {
permit;
}
}then the first entry is unneccessary.

After all, without it, the ICMP traffic would have still been permited by the last "permit" rule (either explicit or implicit).

If you want to allow ONLY ICMP traffic to 172.16.5.55/32, you need to add a "deny rule" that blocks all other traffic to that IP address AFTER the "permit rule"...

entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
entry deny_All_dc1 {
if match all {
destination-address 172.16.5.55/32;
} then {
deny;
}
}

This should be repeated for every entry.

Permit certain traffic to destination A, then deny other traffic to destination A. Repeat for B, C, D, etc., then, permit the rest...

Or am I missing something?

eyeV
New Contributor III
It strange, yes. But you slowly get used to it. )

Ron_Prague
New Contributor II
IT was a fair question. I'm still wrapping my head around the fact that extreme has an implicit permit at the end of their ACLs. That freaks me out 

Great! So I DID miss something...

They say it's better to ask and look stupid than to remain silent and be a stupid for the rest of your life.... Hahaha
GTM-P2G8KFN