Extreme Policy Manager and Wireless Controller rules

  • 0
  • 2
  • Question
  • Updated 2 years ago
  • Answered
Hi, how is possible to create the ExtremeWireless Controlle rules of the following type

with the Extreme Policy Manager?
In Policy Manager when I try to define a rule of any IP destination deny as follow:


The screen permit don't permit to insert an ant IP address value, so If I try to put the value 0.0.0.0/0 I receive an error because the netmask can't be 0:



If I Enforce this rule with the value 0.0.0.0 without the netmask, on the wireless controller this rule is writted with netmask 32 as 0.0.0.0/32

Other problem is that I can't define in the Policy Manager an order of this rules as I can do from the EWC GUI, and when I Enforce the Domain to the Wireless Controller, the rules are not in the right order.
How to do solve?
Thanks
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb

Posted 3 years ago

  • 0
  • 2
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,784 Points 2k badge 2x thumb
Hi Antonio,

If you're just trying to block all IP then perhaps make a Layer 2 rule to block ethertype=IP? Then it will also be a lower priority as well when enforced by Policy Manager. See example screen below:



Tyler
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Hy Tyler, whith your suggest I'm now able to add the following rule:

but I'm still not able to add a rule like the following:

Is there then a manner to order the rules in the Policy Manager in manner to have the same order when applied to the Wireless Controller?
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,784 Points 2k badge 2x thumb
Hi Antonio - in regards to the precedence, I believe this link in the GTAC Knowledge Base should help: https://gtacknowledge.extremenetworks.com/articles/Q_A/What-Are-the-OnePolicy-Rule-Precedences-for-EXOS-Switches/?q=policy+rule+precedence&l=en_US&fs=Search&pn=1

As for your rule, can you explain what type of traffic you're trying to allow or deny? When defining policy, keep in mind that policy is applied at the ingress of traffic to the AP or switch. Are you try to deny users getting anywhere or trying to deny anything getting to users?

Thanks,

Tyler
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Hi Tyler,
thanks for the link.
Regarding the rules that I'm trying to add via Policy Manager, these are the same rules desceribed in the following GTAC article:
https://gtacknowledge.extremenetworks...
My previous screenshot for the src rule was wrong because the rules are the following:

In particular manner I want to add via Policy Manager the following:
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,784 Points 2k badge 2x thumb
Hi Antonio - So is it working as you expect now? One thing I noticed in the referenced article is that the Topology is set both in the WLAN service and in the Policy Role as a Contain to VLAN. You shouldn't actually need the contain to VLAN and you could instead set that to Deny instead. Then you would not need that ethertype rule that I mentioned.

Thanks,

Tyler
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Hi Tyler, my question is not for  a specific configuration, but is a generic question on rule writing in PM...if I want to define a such rule with policy Manager, is possible or not?
In the case is possible (as the previus rule that you have sugget to me before for the "In-dest,out-none, deny all"), which are the settings on Policy Manager that are traslated in the Wireless Controller as a rule of type "in-none,out-src, allow all"?
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,784 Points 2k badge 2x thumb
Hi Antonio - Sorry I had misunderstood your original question. I thought you were asking how to accomplish that specific task instead of how it works in general.

To answer your question, no, you cannot configure a rule in Policy to match the Out rule. I believe that feature is there as part of backwards compatibility prior to the ExtremeWireless supporting policy. The 'out' component of the rule would be an equivalent of an Egress policy which we do not support configuring for wireless through Policy. 

believe (but am not positive) that that rule that you mentioned with the out configured will always be written by policy since policy is only applied to in traffic and not out traffic.

Let me know if the makes sense or if you have any other questions.

Thanks,

Tyler
(Edited)
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Thank a lor Tyler for this detailed explain. So if I want to add the out componet of a rule (egress policy), do I need to add it directly on the Wireless Controller and not with Policy Manager?
Is there a manner to avoid that on the next enforce of the domain polices with the policy manager such rule disappear from the role because rewritted from the PM? This is my latest question,,,thanks in advance for the details..
Photo of Tyler Marcotte

Tyler Marcotte, Official Rep

  • 2,784 Points 2k badge 2x thumb
Hi Antonio - The answer to that question I'm not sure about unfortunately. If no one else on the hub can answer it, I'd suggest calling into GTAC and asking as I'm sure someone there can answer it for you.

Thanks,

Tyler 
Photo of Antonio Opromolla

Antonio Opromolla

  • 2,216 Points 2k badge 2x thumb
Ok Tyler, thanks for the other details.
Photo of Ahmed Haroun

Ahmed Haroun

  • 962 Points 500 badge 2x thumb
i have some other scenario that i am unable to deal with,

- rule action is contain to vlan.
- we allow specific IP sockets from PM.
- we deny all private IP ranges , so that users gain internet access but no access to local resources.


this is workign fine, the rouble came when we have been asked to allow ICMP to specif IPs, when we allow the protocal ICMP it is ordered below the deny statements , and also i did not find a way to limit it to specific IP address.

any suggestions?