ACL conversion sanity check please.


Userlevel 2
I'm new to Extreme core switches, I've used their edge products for years but usually in one off iSCSI deployments or more recently for limited AVB deployments.

We're replacing our HP Procurve cores with 8810s and I 'd like someone to take a quick look at this ACL I'm converting and point out anything I'm missing, this is my first time dealing with Extreme's ACL usage.

We have a learning center that needs access to internal DNS, KMS and then access to the internet, while blocking access to all other internal corporate resources.

Here's the HP ACL:
ip access-list extended "100"
10 permit tcp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 eq 1688 10 remark "Allow LC to KMS server on DC2" 20 permit tcp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 20 remark "Allow LC to tcp DNS on DC1" 30 permit udp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 30 remark "Allow LC to udp DNS on DC1" 40 permit icmp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 40 remark "Allow ping to DC2 LC" 50 permit icmp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 50 remark "Allow ping to DC1 from LC" 60 permit ip 172.17.0.0 0.0.255.255 172.16.0.249 0.0.0.0 60 remark "Allow LC to Fortigate internal" 80 deny ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255 80 remark "Block LC from local corp network" 90 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255 90 remark "Block LC from remote corp networks" 110 permit ip 172.17.0.0 0.0.255.255 0.0.0.0 255.255.255.255 110 remark "Allow LC out to the internet" exit
[/code]and here's the Extreme version, which is think is right:

entry permit_ICMP_dc1 { if match all { source-address 172.17.0.0/16; protocol ICMP; destination-address 172.16.5.55/32; } then { permit; } } entry permit_ICMP_dc2 { if match all { source-address 172.17.0.0/16; protocol ICMP; destination-address 172.16.5.40/32; } then { permit; } } entry permit_TCPDNS_dc1 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.55/32; destination-port 53; } then { permit; } } entry permit_TCPDNS_dc2 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.40/32; destination-port 53; } then { permit; } } entry permit_UDPDNS_dc1 { if match all { source-address 172.17.0.0/16; protocol UDP; destination-address 172.16.5.55/32; destination-port 53; } then { permit; } } entry permit_UDPDNS_dc2 { if match all { source-address 172.17.0.0/16; protocol UDP; destination-address 172.16.5.40/32; destination-port 53; } then { permit; } } entry permit_KMS_dc2 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.40/32; destination-port 1688; } then { permit; } } entry permit_IP_FG600C { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 172.16.0.249/32; } then { permit; } } entry deny_LC_localcorp { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 172.16.0.0/16; } then { deny; } } entry deny_LC_remotecorp { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 10.0.0.0/8; } then { deny; } } entry permit_LC_internet { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 0.0.0.0/0; } then { permit; } } [/code]
Did I miss anything? Will this work ok?

Thanks!

9 replies

Userlevel 6
Hey Ron

At first pass I would say you got it all right. One suggestion I would make is to add a counter to each ACL statement so that you can see if traffic is hitting it. It is good for troubleshooting the policy. Just add count ;

Also remember that we look at ACLs on Ingress by default so when you assign this policy remember that to make sure your traffic pattern is in the direction of the Source/Destinatin IP or Port number. Lastly we have an implicit permit so if you do not deny we will forward.

Let us know how it goes.

P
Userlevel 2
Paul Russo wrote:

Hey Ron

At first pass I would say you got it all right. One suggestion I would make is to add a counter to each ACL statement so that you can see if traffic is hitting it. It is good for troubleshooting the policy. Just add count ;

Also remember that we look at ACLs on Ingress by default so when you assign this policy remember that to make sure your traffic pattern is in the direction of the Source/Destinatin IP or Port number. Lastly we have an implicit permit so if you do not deny we will forward.

Let us know how it goes.

P

This is how the ACL is applied (on both core switches):
configure access-list learningcenter vlan "LC" ingress [/code]

One more thing, the final statement:
entry permit_LC_internet { if match all { source-address 172.17.0.0/16; destination-address 0.0.0.0/0; } then { permit; } }[/code]
Isn't necessary then because there is an implicit permit at the end of the ACL?

Extreme ACLs are still done top-down processing I assume?
Userlevel 4
Ron,

"IP" is an invalid protocol match condition. Once removing protocol IP as a match condition from the last 4 entries the policy check cleared.

After creating the policy file the "check policy " command can be used to verify the syntax is correct.

Please let me know if there are any questions or concerns.

Andrew
Userlevel 2
Andrew Maldonado wrote:

Ron,

"IP" is an invalid protocol match condition. Once removing protocol IP as a match condition from the last 4 entries the policy check cleared.

After creating the policy file the "check policy " command can be used to verify the syntax is correct.

Please let me know if there are any questions or concerns.

Andrew

Thanks Andrew, I found that out about an hour after I posted this by using the check policy command.
Userlevel 6
I may be wrong but if you just use
entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
[/code]and then end with a "permit all" entry
entry permit_LC_internet {
if match all {
source-address 172.17.0.0/16;
destination-address 0.0.0.0/0;
} then {
permit;
}
}[/code]then the first entry is unneccessary.

After all, without it, the ICMP traffic would have still been permited by the last "permit" rule (either explicit or implicit).

If you want to allow ONLY ICMP traffic to 172.16.5.55/32, you need to add a "deny rule" that blocks all other traffic to that IP address AFTER the "permit rule"...

entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
entry deny_All_dc1 {
if match all {
destination-address 172.16.5.55/32;
} then {
deny;
}
}[/code]

This should be repeated for every entry.

Permit certain traffic to destination A, then deny other traffic to destination A. Repeat for B, C, D, etc., then, permit the rest...

Or am I missing something?
Userlevel 2
dflouret wrote:

I may be wrong but if you just use
entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
[/code]and then end with a "permit all" entry
entry permit_LC_internet {
if match all {
source-address 172.17.0.0/16;
destination-address 0.0.0.0/0;
} then {
permit;
}
}[/code]then the first entry is unneccessary.

After all, without it, the ICMP traffic would have still been permited by the last "permit" rule (either explicit or implicit).

If you want to allow ONLY ICMP traffic to 172.16.5.55/32, you need to add a "deny rule" that blocks all other traffic to that IP address AFTER the "permit rule"...

entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
entry deny_All_dc1 {
if match all {
destination-address 172.16.5.55/32;
} then {
deny;
}
}[/code]

This should be repeated for every entry.

Permit certain traffic to destination A, then deny other traffic to destination A. Repeat for B, C, D, etc., then, permit the rest...

Or am I missing something?

There's an entry in the middle that denies all traffic from 172.17.0.0/16 to 172.16.0.0/16, except for the rules we matched earlier (DNS, ICMP and KMS)

entry deny_LC_localcorp { if match all { source-address 172.17.0.0/16; destination-address 172.16.0.0/16; } then { deny; } }[/code]
Userlevel 6
dflouret wrote:

I may be wrong but if you just use
entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
[/code]and then end with a "permit all" entry
entry permit_LC_internet {
if match all {
source-address 172.17.0.0/16;
destination-address 0.0.0.0/0;
} then {
permit;
}
}[/code]then the first entry is unneccessary.

After all, without it, the ICMP traffic would have still been permited by the last "permit" rule (either explicit or implicit).

If you want to allow ONLY ICMP traffic to 172.16.5.55/32, you need to add a "deny rule" that blocks all other traffic to that IP address AFTER the "permit rule"...

entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
entry deny_All_dc1 {
if match all {
destination-address 172.16.5.55/32;
} then {
deny;
}
}[/code]

This should be repeated for every entry.

Permit certain traffic to destination A, then deny other traffic to destination A. Repeat for B, C, D, etc., then, permit the rest...

Or am I missing something?

Great! So I DID miss something...

They say it's better to ask and look stupid than to remain silent and be a stupid for the rest of your life.... Hahaha
Userlevel 2
dflouret wrote:

I may be wrong but if you just use
entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
[/code]and then end with a "permit all" entry
entry permit_LC_internet {
if match all {
source-address 172.17.0.0/16;
destination-address 0.0.0.0/0;
} then {
permit;
}
}[/code]then the first entry is unneccessary.

After all, without it, the ICMP traffic would have still been permited by the last "permit" rule (either explicit or implicit).

If you want to allow ONLY ICMP traffic to 172.16.5.55/32, you need to add a "deny rule" that blocks all other traffic to that IP address AFTER the "permit rule"...

entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
entry deny_All_dc1 {
if match all {
destination-address 172.16.5.55/32;
} then {
deny;
}
}[/code]

This should be repeated for every entry.

Permit certain traffic to destination A, then deny other traffic to destination A. Repeat for B, C, D, etc., then, permit the rest...

Or am I missing something?

IT was a fair question. I'm still wrapping my head around the fact that extreme has an implicit permit at the end of their ACLs. That freaks me out 😛
Userlevel 3
dflouret wrote:

I may be wrong but if you just use
entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
[/code]and then end with a "permit all" entry
entry permit_LC_internet {
if match all {
source-address 172.17.0.0/16;
destination-address 0.0.0.0/0;
} then {
permit;
}
}[/code]then the first entry is unneccessary.

After all, without it, the ICMP traffic would have still been permited by the last "permit" rule (either explicit or implicit).

If you want to allow ONLY ICMP traffic to 172.16.5.55/32, you need to add a "deny rule" that blocks all other traffic to that IP address AFTER the "permit rule"...

entry permit_ICMP_dc1 {
if match all {
source-address 172.17.0.0/16;
protocol ICMP;
destination-address 172.16.5.55/32;
} then {
permit;
}
}
entry deny_All_dc1 {
if match all {
destination-address 172.16.5.55/32;
} then {
deny;
}
}[/code]

This should be repeated for every entry.

Permit certain traffic to destination A, then deny other traffic to destination A. Repeat for B, C, D, etc., then, permit the rest...

Or am I missing something?

It strange, yes. But you slowly get used to it. )

Reply