Correct rule to allow DHCP in ACL for a VLAN


Userlevel 4
Hello, everybody!

I need to allow DHCP traffic for a certain VLAN in ACL. Is my rule correct?

entry DHCP { if {

protocol udp ;

destination-port 67,68 ;

} then {

permit ;

}

}

Should it be applied to VLAN as "ingress"?

Could you please, check it? Thank you!!!

13 replies

Userlevel 5
Looks good, should work just fine, you can apply it on the Ingress port if it is an Uplink, otherwise, YES you can apply it on the VLAN in the Ingress direction.. You might want to add a count to it for troubleshooting purposes.
Userlevel 6
Hi, just change the comma to dash for destination-port match-condition.

entry DHCP {
if {
protocol udp ;
destination-port 67-68 ;
} then {
permit ;
}
}

After creating the .pol file you can use the "check policy " to check the syntax. Lets say your filename is "rule1.pol". You should use the command below to check the syntax:

check policy rule1

Please take a look into the article below for more details:

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS
Userlevel 4
Many thanks to you!

Then, I am correct that this allow all ip traffic? No only DHCP, yes?

entry dhcp { if {
destination-address 255.255.255.255/32 ;
} then {
count dhcp ;
permit ;
}
}

Thank you!
Userlevel 7
Ilya Semenov wrote:

Many thanks to you!

Then, I am correct that this allow all ip traffic? No only DHCP, yes?

entry dhcp { if {
destination-address 255.255.255.255/32 ;
} then {
count dhcp ;
permit ;
}
}

Thank you!

That would allow all global IP broadcast packets, not just DHCP.
Userlevel 4
Ilya Semenov wrote:

Many thanks to you!

Then, I am correct that this allow all ip traffic? No only DHCP, yes?

entry dhcp { if {
destination-address 255.255.255.255/32 ;
} then {
count dhcp ;
permit ;
}
}

Thank you!

But Eric wrote: "That rule would allow IP broadcast traffic only." Who is right?
Userlevel 7
Ilya Semenov wrote:

Many thanks to you!

Then, I am correct that this allow all ip traffic? No only DHCP, yes?

entry dhcp { if {
destination-address 255.255.255.255/32 ;
} then {
count dhcp ;
permit ;
}
}

Thank you!

The IP address 255.255.255.255 is the local (not global, my mistake) broadcast address for IP version 4, also known as all ones. This includes any protocol and any port, thus it is not just DHCP.

It is not every broadcast packet either, because IP version 4 supports directed broadcasts (directed broadcasts should be disabled for security reasons, it allows e.g. amplification in Smurf attacks).
Userlevel 6
You should use the match-condition "source-address 0.0.0.0/0;"

Quick question: Do you have a deny-all rule or some other deny rule?

EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.

That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.
Userlevel 4
Henrique wrote:

You should use the match-condition "source-address 0.0.0.0/0;"

Quick question: Do you have a deny-all rule or some other deny rule?

EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.

That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.

Yes, I have the deny-all rules in the end of ACL.

My additional questuon was about does this rule

entry dhcp { if {
destination-address 255.255.255.255/32 ;
} then {
count dhcp ;
permit ;
}
}

have a sense at all?

What does this rule exactly allow?

Thank you very much!
Userlevel 6
Henrique wrote:

You should use the match-condition "source-address 0.0.0.0/0;"

Quick question: Do you have a deny-all rule or some other deny rule?

EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.

That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.

That rule would allow IP broadcast traffic only.
Userlevel 7
Henrique wrote:

You should use the match-condition "source-address 0.0.0.0/0;"

Quick question: Do you have a deny-all rule or some other deny rule?

EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.

That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.

Ilya,

if you add a deny all rule you should make sure to deny only IP traffic. If you deny every frame not previously permitted, you might accidentally stop e.g. layer 2 redundancy mechanisms from working correctly (STP, EAPS, ...).

Erik
Userlevel 4
Henrique wrote:

You should use the match-condition "source-address 0.0.0.0/0;"

Quick question: Do you have a deny-all rule or some other deny rule?

EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.

That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.

The only deny rule I have in the end of every acl. Is it similar to deny all?

entry perm_blocked_in { if {
source-address 0.0.0.0/0 ;
} then {
deny ;
}
}

Thank you.
Userlevel 7
Henrique wrote:

You should use the match-condition "source-address 0.0.0.0/0;"

Quick question: Do you have a deny-all rule or some other deny rule?

EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.

That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.

Hi Ilya,

that entry denies all IP (version 4) traffic, but still allows non-IP Ethernet frames. That is OK and equivalent to the implicit deny any of Extreme EOS (or Cisco IOS) IP access-lists (router ACL).

Erik
Henrique wrote:

You should use the match-condition "source-address 0.0.0.0/0;"

Quick question: Do you have a deny-all rule or some other deny rule?

EXOS ACL (if not used as access-profile to control management access applied directly to ssh, telnet, snmp, etc or used for routing policies) does not have an implicit deny-all rule.

That means if you just apply those DHCP/IP rules to a vlan or port without any deny rule, it would not take affect for permit traffic because it's permit by default (inside a rule and inside the policy file). It would help just to count packets if you add a "count" option to the rule.

in our two-tier MLAG design, with VRRP enabled and VLAN ACL, we also have to allowed the VRRP multicast traffic to 224.0.0.18/32 or to all 224.0.0.0/24

Reply