Policy to deny access to internal networks but allow access externally not working

  • 0
  • 2
  • Question
  • Updated 3 weeks ago
  • Answered
Working with Exos, S-series router and Policy Manager.  

Currently working with a customer, and I've setup a policy to deny 10.0.0.0/8 but allow 10.0.0.0/24.  Precedence shows this should work.  I also have allow DNS, DHCP and ARP.  In the past with EOS, allow ARP allows the workstation to access the network via the gateway.  I believe the workstation just arps up its gateway and uses the mac address for network access.  I can't get that to work on EXOS.  I've setup a rule to allow to the mac address of the s-series and that works, however I'm able to access everything on the 10 network that I've setup as a deny.  Same result when I just allow the IP address of the gateway of the workstation (10.190.0.1).  Has anybody setup this type of scenario with EXOS?  I've got a case open, and they are looking at the switching side of things being the cause.  I've upgraded to the latest code on the EXOS and still doesn't work.  Just seeing if anybody else has run into this before and if there is a solution before I go down the ACL road.  Thanks.
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb

Posted 1 month ago

  • 0
  • 2
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 750 Points 500 badge 2x thumb
Hi Brian, could you share the ACL that you have applied. #show policy <NAME>
Photo of Brian Anderson

Brian Anderson

  • 722 Points 500 badge 2x thumb
I don't have ACLs currently in place.  That is probably the solution I'll have to go with, unfortunately.  Haven't heard any progress from GTAC side yet.