OnePolicy "deny all" blocks STP on EXOS, but not on EOS

  • 0
  • 2
  • Question
  • Updated 7 months ago
  • Answered
Hi,

when replacing EOS based access switches (e.g. S-Series) with EXOS based switches with OnePolicy support (e.g. X460-G2 or X440-G2), there is a difference in behavior if a deny all policy is used. On EOS, STP BPDUs are not blocked, but on EXOS they are blocked by the OnePolicy.

I have encountered this with a customer using a deny all default OnePolicy to drop traffic from unauthenticated devices. After authentication, legitimate devices are assigned a OnePolicy to allow desired communication (and a VLAN is assigned using the RFC 3580 method as well).

While it is documented that deny all EXOS ACLs drop all Layer 2 protocols, I was not aware that this was carried over to OnePolicy (and I did not check the documentation).

Another problem is how to allow STP BPDUs in the default policy. I see two obvious methods to recognize them:
  1. By the destination MAC address of 01:80:C2:00:00:00
  2. By the LLC DSAP of 0x42 and SSAP of 0x42
The first method should be supported on X460-G2 switches (according to show policy capabilities), but not on e.g. X440-G2. The second method is not supported by either X440-G2 nor X460-G2. Since we had X440-G2 in the lab, we could not test the first method when I was on-site (for a different task that had priority).

Has anybody encountered this problem before? How was it solved?

[Note: OnePolicy was just called Policy on EOS, but EXOS knew policy (.pol) files (also known as ACLs) as well. EXOS ACLs are more powerful than EXOS OnePolicies.]

Thanks,
Erik
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb

Posted 10 months ago

  • 0
  • 2
Photo of M.Nees

M.Nees, Embassador

  • 9,264 Points 5k badge 2x thumb
Hi Erik,

i ran into the same problem!

I have a customers project with PEAP and EAP-TLS Authentication and a "Pre-Login" Policy which only allow some specific communications. After upgrade from EXOS 21.1.3 to EXOS 22.3.1.4 PEAP and EAP-TLS is not running anymore.

i opened a case.

Possible Solutions:
+ change Pre-Login Policy from PVID 0 (Deny All ) to PVID 4095 (allow All)
+ Enhance Pre-Login Policy with STP BPDU, EAPOL, ...
+ Waiting till EXOS 22.4.x which will change behaviour back as it was in 21.1.3

Allowing STP via 01:80:C2:00:00:00 on X440-G2 is possible if you do not try to use a variable mask - use ff:ff:ff:ff:ff:ff

Here an example:
configure policy profile 1 name "PC-PreAuth" pvid-status "enable" pvid 0
configure policy rule 1 macdest 01-80-C2-00-00-00 mask 48 forward
configure policy rule 1 ether 0x0806 mask 16 forward
configure policy rule 1 ether 0x8100 mask 16 forward
configure policy rule 1 ether 0x888E mask 16 forward
configure policy rule 1 ether 0x88CC mask 16 forward


Regards,
Matthias
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi Matthias,

the macdest OnePolicy rule was not accepted on the X440-G2 in the lab. I tried it with the 48 bit mask only, because that is what needs to be matched. After this I checked with "show policy capabilit" what is supported, and destination MAC had no check mark.

Regards,
Erik
Photo of M.Nees

M.Nees, Embassador

  • 9,264 Points 5k badge 2x thumb
Do you work with recent EXOS firmware ? I am really sure that the above example works on customers system with X440-G2 with 22.3.1.4 firmware.

Regards
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
It should have been 22.3, but I am not totally sure, because we rebooted into an older firmware the verify that some Policy Manager issues were introduced by 22.3. We should have rebooted into 22.3 before the above mentioned tests, as far as I remember.

Thanks,
Erik
Photo of M.Nees

M.Nees, Embassador

  • 9,264 Points 5k badge 2x thumb
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi Matthias,

that is a new issue (EAPoL blocked by a DenyAll policy) that I have not seen in the wild yet, this worked before 22.3.1.4.

Thanks for pointing out this article!

Erik
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
There is another issue with regard to a DenyAll default policy:
Authenticated user FDB entry stay learned in the untagged vlan, and can't send traffic. That one is supposed to be fixed in 22.3, perhaps this "fix" introduced the new problem with EAPoL frames?

I do not like how this issue is progressing... :-(
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi all,

I have heard a disturbing rumour (I have not received a direct confirmation from an Extreme representative) from a reliable source that the S-Series and K-Series firmware will be (or has been already) changed to break the often used DenyAll default rule with policies applied after authenticating end systems, just as it is broken on EXOS (see the first post of this thread).

To add insult to injury this change is supposed to be implemented without any mention in the Release Notes, breaking existing networks if new firmware is installed, without any chance for a warning in advance. Installing new firmware is often required to stay in compliance with regulations and contracts, including receiving support from Extreme Networks.

I do not want to believe this, but there is a certain logic to this ("EOS" always used a couple of undocumented exceptions to not break networks with a policy that denies "all" frames, while EXOS requires the user to manually allow what is needed for the network to function, see e.g. the issue from the post above or the Example ACL Rule Entries from the documentation).

Can anybody confirm this, or has seen this with current S-Series or K-Series firmware already?

Best regards,
Erik
Photo of Daniel Coughlin

Daniel Coughlin, Employee

  • 2,702 Points 2k badge 2x thumb
Erik,
I spoke with engineering about this rumor.  They have not made changes to which protocols are still processed by EOS in the presence of a default drop rule in policy.  They also stated that there is no plan to do so in the future.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi Daniel,

thanks for the info, that was the reply I hoped to get. :-)

Erik