Correct rule to allow DHCP in ACL for a VLAN

  • 0
  • 1
  • Question
  • Updated 10 months ago
  • Answered
Hello, everybody! 

I need to allow DHCP traffic for a certain VLAN in ACL. Is my rule correct?


entry DHCP {

if  {

protocol udp ;

destination-port 67,68 ;

} then {

permit ;

}

}


Should it be applied to VLAN as "ingress"?


Could you please, check it? Thank you!!!
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Kawawa

Kawawa, GTAC

  • 3,292 Points 3k badge 2x thumb
Looks good, should work just fine, you can apply it on the Ingress port if it is an Uplink, otherwise, YES you can apply it on the VLAN in the Ingress direction..  You might want to add a count to it for troubleshooting purposes.  
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
Hi, just change the comma to dash for destination-port match-condition.

entry DHCP {
     if  {
          protocol udp ;
          destination-port 67-68 ;
     } then {
          permit ;
     }
}

After creating the .pol file you can use the "check policy <policy_name>" to check the syntax. Lets say your filename is "rule1.pol". You should use the command below to check the syntax:

check policy rule1

Please take a look into the article below for more details:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
Many thanks to you!

Then, I am correct that this allow all ip traffic? No only DHCP, yes?

entry dhcp {   if {
      destination-address 255.255.255.255/32 ;
   } then {
      count dhcp ;
      permit ;
   }
}

Thank you!
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,284 Points 10k badge 2x thumb
That would allow all global IP broadcast packets, not just DHCP.
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
But Eric wrote: "That rule would allow IP broadcast traffic only."  Who is right?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,284 Points 10k badge 2x thumb
The IP address 255.255.255.255 is the local (not global, my mistake) broadcast address for IP version 4, also known as all ones. This includes any protocol and any port, thus it is not just DHCP.

It is not every broadcast packet either, because IP version 4 supports directed broadcasts (directed broadcasts should be disabled for security reasons, it allows e.g. amplification in Smurf attacks).
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
You should use the match-condition "source-address 0.0.0.0/0;"

Quick question: Do you have a deny-all rule or some other deny rule?

EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.

That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
That rule would allow IP broadcast traffic only.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Ilya,

if you add a deny all rule you should make sure to deny only IP traffic. If you deny every frame not previously permitted, you might accidentally stop e.g. layer 2 redundancy mechanisms from working correctly (STP, EAPS, ...).

Erik
Photo of Ilya Semenov

Ilya Semenov

  • 4,610 Points 4k badge 2x thumb
The only deny rule I have in the end of every acl. Is it similar to deny all?

entry perm_blocked_in {   if {
      source-address 0.0.0.0/0 ;
   } then {
      deny  ;
   }



Thank you.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Hi Ilya,

that entry denies all IP (version 4) traffic, but still allows non-IP Ethernet frames. That is OK and equivalent to the implicit deny any of Extreme EOS (or Cisco IOS) IP access-lists (router ACL).

Erik
Photo of Norbert Elitzer

Norbert Elitzer

  • 70 Points
in our two-tier MLAG design, with VRRP enabled and VLAN ACL, we also have to allowed the VRRP multicast traffic to 224.0.0.18/32 or to all 224.0.0.0/24