Policy to deny access to internal networks but allow access externally not working


Userlevel 2
Working with Exos, S-series router and Policy Manager.

Currently working with a customer, and I've setup a policy to deny 10.0.0.0/8 but allow 10.0.0.0/24. Precedence shows this should work. I also have allow DNS, DHCP and ARP. In the past with EOS, allow ARP allows the workstation to access the network via the gateway. I believe the workstation just arps up its gateway and uses the mac address for network access. I can't get that to work on EXOS. I've setup a rule to allow to the mac address of the s-series and that works, however I'm able to access everything on the 10 network that I've setup as a deny. Same result when I just allow the IP address of the gateway of the workstation (10.190.0.1). Has anybody setup this type of scenario with EXOS? I've got a case open, and they are looking at the switching side of things being the cause. I've upgraded to the latest code on the EXOS and still doesn't work. Just seeing if anybody else has run into this before and if there is a solution before I go down the ACL road. Thanks.

3 replies

Userlevel 2
Hi Brian, could you share the ACL that you have applied. #show policy
Userlevel 2
I don't have ACLs currently in place. That is probably the solution I'll have to go with, unfortunately. Haven't heard any progress from GTAC side yet.
Userlevel 2
FYI, received a response from GTAC, v22.5.1.7 is supposed to work. I haven't had a chance to test yet.

Reply