Header Only - DO NOT REMOVE - Extreme Networks
Solved

EXOS dynamic ACL on VLAN not working.

  • 19 September 2019
  • 6 replies
  • 263 views

Userlevel 2
Hi,

I want to permit selected subnets and deny all other subnets ingress traffic to our PBX vlan. I configured ACLs shown below. But I can still access to PBX VLAN (web pages of IP phones on PBX VLAN) from every where. What shoul be the problem?

PBX VLANs ip subnet is 10.150.101.0/24

Regards

Rahman

code:
create access-list santral-pbx-010 " source-address 10.242.2.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-020 " source-address 192.168.10.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-030 " source-address 192.168.1.44/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-040 " source-address 192.168.1.183/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-050 " source-address 10.50.0.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-060 " source-address 10.110.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-070 " source-address 10.120.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-080 " source-address 10.130.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-090 " source-address 10.141.26.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-100 " source-address 10.146.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-110 " source-address 10.150.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-120 " source-address 10.160.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-130 " source-address 10.111.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-deny " source-address 0.0.0.0/0 ; destination-address 10.150.101.0/24 ;" " deny ;" application "Cli"



configure access-list add santral-pbx-010 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-020 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-030 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-040 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-050 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-060 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-070 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-080 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-090 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-100 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-110 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-120 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-130 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-deny last priority 0 zone SYSTEM vlan Santral-PBX ingress
icon

Best answer by Erik Auerswald 25 September 2019, 17:35

Hi,

I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.

You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).

On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).

Thanks,
Erik
View original

6 replies

Userlevel 2
Hi,

I just deleted all the dynamic acl rules and created a policy file: "santral-pbx.pol"

code:
entry santralpbx-allowed-networks-01 {
if match all {
source-address 10.242.2.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-02 {
if match all {
source-address 192.168.10.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-03 {
if match all {
source-address 192.168.1.44/32;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-04 {
if match all {
source-address 192.168.1.183/32;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-05 {
if match all {
source-address 10.50.0.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-06 {
if match all {
source-address 10.110.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-07 {
if match all {
source-address 10.120.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-08 {
if match all {
source-address 10.130.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-09 {
if match all {
source-address 10.141.26.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-10 {
if match all {
source-address 10.146.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-11 {
if match all {
source-address 10.150.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-12 {
if match all {
source-address 10.160.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-allowed-networks-13 {
if match all {
source-address 10.111.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}


entry santralpbx-deny-all {
if {
source-address 0.0.0.0/0;
destination-address 10.150.101.0/24;
} then {
deny;
count santralpbx-deny-count;
}
}





As you see I permitted some subnets and at the end denied all sources. I applied this policy to ingress of vlan "Santral-PBX":

code:
configure access-list santral-pbx vlan "Santral-PBX" ingress


But I can still ping and open web gui of ip phones from every where. It does not deny traffic as it should. When I look to counter statistics it shows like this:

code:
SAVSAT-METRO.3 # show access-list counter ingress
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
santral-pbx Santral-PBX * ingress
santralpbx-deny-count 0
santralpbx-permit-count 11431


Any idea why it does not work? Should I apply the policy file to all ports instead of VLAN?

Regards,

Rahman
Userlevel 7
Hi,

I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.

You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).

On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).

Thanks,
Erik
Userlevel 2
Hi,

I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.

You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).

On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).

Thanks,
Erik

Hi Erik,

Thanks for the suggestion, I will try it and report back if it woks.

Every example I saw on community hub and GTAC suggested to apply ACL to ingress of the VLANs. I read whole documentation of EXOS on ACLs a few time already. I think documentation needs some clarification on "which traffic is ingress to VLAN and which is egress from VLAN". It is not very clear.

When I read the documentation I understand "traffic routed to the VLAN is ingress traffic for that VLAN" and "traffic originating from VLAN and routed to other VLANs egress traffic for that VLAN".

Regards,

Rahman
Userlevel 2
Ingress and egress can be confusing, especially with VLANs. Ingress to a VLAN means packets coming in on a port that is a member of that VLAN, tagged or not. I honestly don't know if a packet that is being routed from another VLAN and then passes a certain VLAN is actually considered as ingressing that VLAN, but I don't think so as it is actually rather egressing the port and hence it is considered egressing the VLAN.

It should be fairly simple to find out by applying your policy on ingress on some other VLAN that is supposed to be blocked by the policy.

/Fredrik
Userlevel 2
Hi,

@Erik Auerswald @FredrikB thank you both for your helps. Applying the ACL to the egress of the PBX VLAN solved the issue.

I still think EXOS documentation needs more polishing and more examples about the routed traffic directions about VLANs.

Regards,

Rahman
Userlevel 2
"I still think EXOS documentation needs more polishing and more examples about the routed traffic directions about VLANs."

I agree. Either more real-world examples in the user guide or a reference to a collection of such examples on the web would be very helpful. Sadly, this seems to be a hard nut for Extreme to crack, probably due to unwillingness to put out examples that may break in future releases, ending up in support cases where customers want this or that example to work in their environment. I guess that's what this forum is supposed to address to some extent.

Reply