Header Only - DO NOT REMOVE - Extreme Networks
Question

ACL to EXOS and EIGRP Newbie

  • 30 August 2019
  • 12 replies
  • 1620 views

Hello,
I'm converting a cisco 2911 router to an extreme 440-24t. I've never created an access list or even worked with the router currently has the following. I also don't know what to do with the eigrp and if i need to convert that as well

router eigrp 99
network 10.76.0.0 0.0.0.255
network 10.76.22.0 0.0.0.255
network 172.16.0.0
network 192.168.22.0
!
ip forward-protocol nd
!
ip http server
ip http secure-server
!
!
access-list 50 permit 192.168.0.0 0.0.255.255
access-list 50 permit 10.76.0.0 0.0.0.255
access-list 101 deny ip any 172.16.0.0 0.0.255.255
access-list 101 permit ip any any
access-list 102 permit ip any 172.16.0.0 0.0.255.255
access-list 102 permit ip any 10.243.4.0 0.0.1.255

12 replies

Userlevel 2
I don't think Extreme supports EIGRP and will probably never do so.

https://community.extremenetworks.com/extremeswitching-exos-223284/eigrp-7497233

Use standards like OSPF, ISIS or BGP for routing.

Where do you plan to use the ACLs, on interfaces, VLANs, for route export, CPU protection or something else?

You can either edit a policy file that you create for a policy (ACL) or create a dynamic ACL. I think you can only have one match in a dynamic ACL, so you can do this:

create access-list ACL101a "source-address 172.16.0.0/16" "deny"
create access-list ACL101b "source-address 0.0.0.0/0" "permit"
configure access-list add ACLv101a vlan v101-engineering first
configure access-list add ACLv101b vlan v101-engineering after ACLv101a

or you can create a policy file:

edit policy ACLv101 (starts up a "vi" like editor, nasty, but that's how it's done)

i (for entering edit mode in vi, then type the following)

entry v101-deny {
if {
source-address 172.16.0.0/16;
} then {
deny;
}
}

entry v101-permit {
if {
} then {
permit;
}
}

(now, press Esc and then ZZ, that is capital Z twice, for saving and exiting)

Apply the ACL to a VLAN (if that's what you intend):

configure access-list add ACLv101 vlan v101-engineering

/Fredrik
I’m not really sure about the ACLs, and I’ve never setup a switch so I’ve got 2 vlans (admin) and (controls) it goes directly to a rad provided by century link, we originally had a Cisco router and a cisco switch but we want to put in this x440 in place of those two. I’m only trying to mirror what we had in the router and I wasn’t part of the original setup so I’m not sure what the ACLs are for. We want admin vlan and the controls vlan to not have internet. Not sure if that makes sense or not.
Userlevel 2
Ok, two things. If this is indeed an old X440-24t (not a G2 version), you're stuck on old EXOS 16, but you will be fine with one of the latest EXOS 16 releases. Sencondly, I think you need to figure out what the old router did if you're going to copy its settings. If you cannot do that (well, in any case) you need to understand the solution, otherwise you're only guessing.

If none of the VLANs are supposed to have Internet access, is there another VLAN that is supposed to have that?

Was Cisco EIGRP routing protocol used at all in the Cisco? You should see that with "show eigrp 99 neighbors". If none are listed, you probably don't even use EIGRP. Even if EIGRP is used, very often in simple implementations, the routing protocol more or less only establishes a default route to the outside world. If this is the case for you, you can replace EIGRP with a simple static route to the next-hop router (default gateway).

/Fredrik
The only vlan that would have internet would be the “admin” vlan. Controls vlan would be closed. Would I still need to look to the OSPF? I also tagged the port that the internet comes Into the switch port 24, and put that port on a 3rd clan called “clink”
Userlevel 2
Ah, you said "We want admin vlan and the controls vlan to not have internet.". Do you need routing between those VLANs? If so, you can use routing between the VLANs and an ACL to prevent the controls VLAN from reaching anything else than the admin VLAN.

If you provide the following, I might be able to help you:

IP, subnet and VLAN ID for the two VLANs
Router for Internet (default gateway)

/Fredrik
vlan admin vid 10 10.76.22.1 /24
vlan controls vid 20 172.16.22.1 /23
century link router 10.76.0.22/24

have dhcp setup as well for controls vlan ip would pick up 172.16.22.x sub:255.255.254.0 gw:172.16.22.1
vlan admin 10.76.22.x sub:10.76.22.1 gw:10.76.22.1
admin vlan (with internet) should be able to communicate with controls vlan but controls vlan should not have internet access.
Userlevel 2
Hi!

Ok ,for a basic setup, you need three VLANs:

create vlan admin
configure vlan admin tag 10
configure vlan admin ipaddress 10.76.22.1 255.255.255.0

create vlan controls
configure vlan controls tag 20
configure vlan controls ipaddress 172.16.22.1 255.255.254.0

create vlan century
configure vlan century tag 30
configure vlan century ipaddress 10.76.0.xx 255.255.255.0 <- need correct IP here (are you .22 and Century some other IP?)

configure iproute add 0.0.0.0 0.0.0.0 10.76.0.22 <- IP of the Century router
enable ipforwarding <--- enables routing on all VLANs

Add ports to the VLANs (examples, use your own port assignments as needed):

configure vlan admin add ports 1-10 untagged
configure vlan controls add ports 11-20 untagged
configure vlan century add ports 24 untagged

In case you need tagged ports with, say, admin and controls for trunking those to another switch:
configure vlan admin add ports 22-23 tagged
configure vlan controls add ports 22-23 tagged

I am assuming this is how the network is supposed to be connected:

admin------ Extreme ---- Century router ---- Internet
controls---- X440

What I didn't get was which IP addresses you use for the X440-to-Century connection. I assume this:

- Century router has IP 10.76.0.22/24 on the interface towards the X440
- X440 should have another address in that subnet, designated 10.76.0.xx/24 above

This should work, but will not stop the controls network from reaching the Internet. For that you need a policy.

After testing the basic setup (please do that first so you know the basics work), you need a policy (ACL) that denies traffic from VLAN controls to the Internet.

edit policy deny-controls-internet

i (for enabling editing, an ugly vi editor monstrosity)

[Paste the text below into the editor]

# Policy for denying traffic from Controls to the Internet
entry permit-controls-admin {
if {
source-address 172.16.22.0/23;
destination-address 10.76.22.0/24;
} then {
permit;
}
}

entry deny-controls-Internet {
if {
source-address 172.16.22.0/23;
} then {
deny;
}
}

Quit the ugly vi-like editor with Esc and then ZZ (shift z twice) or Esc :w (I think, check)

Apply the policy to the VLANs:

configure access-list deny-controls-internet add vlan controls

This applies the policy/ACL to the VLAN controls and will have no effect on other VLANs.

If all is good, you're done!

I did this as a dry-run, no testing, so if not all is correct, please forgive me ;)

/Fredrik
Thanks, I tried putting in the configure iproute add 0.0.0.0 0.0.0.0 10.76.0.22 <- IP of the Century router
enable ipforwarding <--- enables routing on all VLANs but i get an error "Invalid null netmask detected at '^' marker.

It's showing the marker at the start of the second 0.0.0.0
Userlevel 2
Ah, it's supposed to be this:

iproute add default 10.76.0.22
no for the access list i typed in configure access-list deny-controls-internet vlan controls doesn't work if you put add vlan controls, got an error error: Policy deny-controls-internet has syntax errors line 2: Missing keyword "entry"
Also, I tried the config without the access list and I have an issue I can’t seem to get online with just the basic config to port 24 and vlan century
Userlevel 2
Can you ping from a PC in VLAN admin to all IPs on the switch? Start with pinging 10.76.22.1 and then the other addresses.

Did you do "enable ipforwarding"? Is the routing back from the Century to the X440 correct? If you used to run a routing protocol there previously (Cisco EIGRP), you might need to add a static route back to the X440 from the Century.

/Fredrik

Reply