N7 ACL Issue

  • 0
  • 1
  • Problem
  • Updated 2 years ago
  • Solved
I've been asked to create a VLAN that will be used for a guest wireless network.  I need to be able to access only the DHCP server on VLAN1 from this new VLAN.  I'm trying to create an access-list on our Enterasys N7 Platinum that will do this. Here is what I have so far:

Vlan 1 - 10.50.0.0 255.255.128.0
Vlan 200 (New Vlan) - 10.51.0.0 255.255.252.0

On the N7:

 interface vlan 1

  ip address 10.50.2.1 255.255.128.0

  no shutdown

 interface vlan 200

  ip address 10.51.0.1 255.255.252.0

  ip helper-address  10.50.1.30

  no shutdown

access-list 123 permit udp  any range 67 68 any
access-list 123 deny ip any 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
access-list 123 permit ip any any

When I apply this outboud to interface vlan 200, it allows all traffic.  I was under the impression (coming from a cisco background) that once a rule in an access list has been proccessed, it stops there.  So, for intance, shouldn't any traffice denied by the second part of this access list be denied regardless of the last line of this access-list? 

I've been struggling with this for a few days and would greatly appreciate any advice you guys could throw my way.
Photo of Robert Lawrence

Robert Lawrence

  • 182 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Andre Brits Kannemeyer

Andre Brits Kannemeyer

  • 5,160 Points 5k badge 2x thumb
Hi Robert

To use ACL's is fine but I would recommend utilizing Policy and Policy Manager to quickly and easily create what you require.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,886 Points 10k badge 2x thumb
Hello Robert,

you are correct that the EOS router ACL is processed from the top down, stopping at the first match, with an implicit deny at the end. Just like a Cisco IOS router ACL.

If you bind ACL 123 outgoing on interface vlan 200 you will deny any traffic with an IP address from VLAN 200 oroginating outside of that VLAN to be routed into the VLAN. That would be an anti-spoofing ACL.

As far as I understand, you intend to block traffic originating in VLAN 200 to reach 10.50.0.0/17. To do that, you would need to bind the ACL inbound in VLAN 200.

I recommend drawing a simple diagram with just the relevant router interfaces to plan ACL deployment. Especially with multilayer switches and Switched Virtual Interfaces it is not that easy to understand which packets are affected by an ACL.

Best regards,
Erik
Photo of Robert Lawrence

Robert Lawrence

  • 182 Points 100 badge 2x thumb
Something as simple as the following doesn't work:

access-list 150 deny icmp 10.50.0.0 0.0.127.255 any
access-list 150 permit ip any any

Applied inbound on interface vlan 200, still allows pings from vlan 1.  What am I missing here?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,886 Points 10k badge 2x thumb
Hello Robert,

packets with a source address in 10.50.0.0/17 will not enter the SVI Vlan 200, unless the end systems in VLAN 200 spoof the sender IP addresses. Thus you ACL 150 does not deny any packets.

You might want to try the following ACL as a starting point:
access-list 101 deny icmp any 10.50.0.0 0.0.127.255
access-list 101 allow ip any any
interface vlan 200
ip access-group 101 in
That denies ICMP packets sent from VLAN 200 to the IP range of VLAN 1.

Best regards,
Erik
Photo of Alex Morrissey

Alex Morrissey, Employee

  • 862 Points 500 badge 2x thumb
Hello Robert,


The ACL 150 you provided in your last post will prevent ICMP traffic coming into the VLAN 200 router interface sourced from the 10.50.0.0 range going anywhere.  

Instead I'd suggest using "deny icmp any 10.50.0.0 0.0.127.255" in place of your "deny icmp 10.50.0.0 0.0.127.255 any"  This will deny any traffic destined to the 10.50.0.0/17 range and would be applied inbound on VLAN 200.  

If you wanted to deny all icmp traffic to the 10.50.0.0/17 range you could also apply the same ACL outbound on VLAN 1 as it would still match and drop packets destined to the 10.50.0.0 range.

As Eric suggested sometimes drawing out the data path can help identifying where to place ACL's and how to craft them.

For additional reading we also have a ACL section in our configuration guides.  http://documentation.extremenetworks.com/EOS_Config/S-K-Series/S-K-7100_Configuration_Guide/c_ACL_Ru...

-Alex
Photo of Robert Lawrence

Robert Lawrence

  • 182 Points 100 badge 2x thumb
Ok awesome!  deny icmp any 10.50.0.0 0.0.127.255 worked for that instance

I got a little confused in where the packets were coming from (again, been working on this for a few days now and it's all starting to run together).

Here is what I have now:

Extended IP access list 126   
   1: permit udp  any range 67 68 any
   2: deny   icmp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
   3: deny   ip   10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
   4: permit ip   any any

If applied outbound on interface vlan 200, shouldn't this allow me to grab a DHCP address from the server that's on vlan 1, but deny the rest of traffic sourced from vlan 200 destined for vlan 1?

If so, with this rule applied, it's still allowing me to ping devices on vlan 1 from vlan 200 and access file shares as well.

I feel like I'm so close to having this thing whipped and really appreciate all input from  you guys so far.
Photo of Alex Morrissey

Alex Morrissey, Employee

  • 862 Points 500 badge 2x thumb
Hello Robert,

Have you tried applying that rule inbound on vlan 200?

Based on that ACL it will block traffic sourced from 10.51 and destined to 10.50.  So if you apply it outbound as you have you will not block anything because the traffic leaving the router and going into VLAN 200 (outbound) will be sourced from 10.50 and going to 10.51.  If you apply it inbound so traffic coming into the router from VLAN 200 (inbound) you will now have traffic sourced from 10.51 and destined to 10.50 which will match your ACL.

ACL inbound and outbound is based on the L3 Routers view of the world so if you draw a router then anything coming into it from other parts of your network are Inbound while anything leaving it is considered outbound.  ACL's can be applied on the interfaces to filter this traffic but the ACL rules will need to match the traffic as it would be where the ACL is applied.  So your rule could work outbound if you flipped the source and destination fields of your ACL to match where the packet is coming from and where it is going.

-Alex
Photo of Robert Lawrence

Robert Lawrence

  • 182 Points 100 badge 2x thumb
Alex!  That worked sir!  I was under the impression that "out" referred to anything going out of that interface vice versa with "in".  Thank you very much for clearing that up for me.  Perhaps you could help me with one more addition to that acl?  To finish out, I need to allow vlan 200 to use a dns server on vlan 1.  Here is what I have configured inbound vlan 200:

   1: permit udp  any range 67 68 any   
   2: permit udp  any eq 53 any
   3: permit tcp  any eq 53 any
   4: deny   icmp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255     107
   5: deny   ip   10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255     971
   6: permit ip   any any

Will 2 and 3 not allow any dns requests to flow from vlan 200 to vlan 1?
Photo of Alex Morrissey

Alex Morrissey, Employee

  • 862 Points 500 badge 2x thumb
Hello Robert,

You will need to make a slight change to lines 2 and 3.  Instead of "any eq 53 any" you should use "any any eq 53".  Client to Server conversations tend to be from a randomized source port destined to a specific server port.  So in this case you want any IP on any port destined to any IP on port 53 (permit udp <src IP> <src port> <dst IP> <Dst Port>).  You could also substitute the any fields with your 10.51 and 10.50 range.  So it could be "permit udp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255 eq 53"

-Alex
Photo of Robert Lawrence

Robert Lawrence

  • 182 Points 100 badge 2x thumb
Again, worked flawlessly.  I can't thank you enough for the assitance you've given here.  Thanks to you as well Erik.  

Is the first part of this ACL working because clients send the dhcp discover/requests on port 68 instead of a random port?  Just trying to clear all of this up in my head for future reference.