Header Only - DO NOT REMOVE - Extreme Networks

N7 ACL Issue


I've been asked to create a VLAN that will be used for a guest wireless network. I need to be able to access only the DHCP server on VLAN1 from this new VLAN. I'm trying to create an access-list on our Enterasys N7 Platinum that will do this. Here is what I have so far:

Vlan 1 - 10.50.0.0 255.255.128.0
Vlan 200 (New Vlan) - 10.51.0.0 255.255.252.0

On the N7:

interface vlan 1

ip address 10.50.2.1 255.255.128.0

no shutdown

interface vlan 200

ip address 10.51.0.1 255.255.252.0

ip helper-address 10.50.1.30

no shutdown

access-list 123 permit udp any range 67 68 any
access-list 123 deny ip any 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
access-list 123 permit ip any any

When I apply this outboud to interface vlan 200, it allows all traffic. I was under the impression (coming from a cisco background) that once a rule in an access list has been proccessed, it stops there. So, for intance, shouldn't any traffice denied by the second part of this access list be denied regardless of the last line of this access-list?

I've been struggling with this for a few days and would greatly appreciate any advice you guys could throw my way.

10 replies

Userlevel 5
Hi Robert

To use ACL's is fine but I would recommend utilizing Policy and Policy Manager to quickly and easily create what you require.
Userlevel 7
Hello Robert,

you are correct that the EOS router ACL is processed from the top down, stopping at the first match, with an implicit deny at the end. Just like a Cisco IOS router ACL.

If you bind ACL 123 outgoing on interface vlan 200 you will deny any traffic with an IP address from VLAN 200 oroginating outside of that VLAN to be routed into the VLAN. That would be an anti-spoofing ACL.

As far as I understand, you intend to block traffic originating in VLAN 200 to reach 10.50.0.0/17. To do that, you would need to bind the ACL inbound in VLAN 200.

I recommend drawing a simple diagram with just the relevant router interfaces to plan ACL deployment. Especially with multilayer switches and Switched Virtual Interfaces it is not that easy to understand which packets are affected by an ACL.

Best regards,
Erik
Something as simple as the following doesn't work:

access-list 150 deny icmp 10.50.0.0 0.0.127.255 any
access-list 150 permit ip any any

Applied inbound on interface vlan 200, still allows pings from vlan 1. What am I missing here?
Userlevel 7
Hello Robert,

packets with a source address in 10.50.0.0/17 will not enter the SVI Vlan 200, unless the end systems in VLAN 200 spoof the sender IP addresses. Thus you ACL 150 does not deny any packets.

You might want to try the following ACL as a starting point:
access-list 101 deny icmp any 10.50.0.0 0.0.127.255 access-list 101 allow ip any any interface vlan 200 ip access-group 101 in [/code]That denies ICMP packets sent from VLAN 200 to the IP range of VLAN 1.

Best regards,
Erik
Userlevel 3
Hello Robert,

The ACL 150 you provided in your last post will prevent ICMP traffic coming into the VLAN 200 router interface sourced from the 10.50.0.0 range going anywhere.

Instead I'd suggest using "deny icmp any 10.50.0.0 0.0.127.255" in place of your "deny icmp 10.50.0.0 0.0.127.255 any" This will deny any traffic destined to the 10.50.0.0/17 range and would be applied inbound on VLAN 200.

If you wanted to deny all icmp traffic to the 10.50.0.0/17 range you could also apply the same ACL outbound on VLAN 1 as it would still match and drop packets destined to the 10.50.0.0 range.

As Eric suggested sometimes drawing out the data path can help identifying where to place ACL's and how to craft them.

For additional reading we also have a ACL section in our configuration guides. http://documentation.extremenetworks.com/EOS_Config/S-K-Series/S-K-7100_Configuration_Guide/c_ACL_Ru...

-Alex
Ok awesome! deny icmp any 10.50.0.0 0.0.127.255 worked for that instance

I got a little confused in where the packets were coming from (again, been working on this for a few days now and it's all starting to run together).

Here is what I have now:

Extended IP access list 126
1: permit udp any range 67 68 any
2: deny icmp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
3: deny ip 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
4: permit ip any any

If applied outbound on interface vlan 200, shouldn't this allow me to grab a DHCP address from the server that's on vlan 1, but deny the rest of traffic sourced from vlan 200 destined for vlan 1?

If so, with this rule applied, it's still allowing me to ping devices on vlan 1 from vlan 200 and access file shares as well.

I feel like I'm so close to having this thing whipped and really appreciate all input from you guys so far.
Userlevel 3
Hello Robert,

Have you tried applying that rule inbound on vlan 200?

Based on that ACL it will block traffic sourced from 10.51 and destined to 10.50. So if you apply it outbound as you have you will not block anything because the traffic leaving the router and going into VLAN 200 (outbound) will be sourced from 10.50 and going to 10.51. If you apply it inbound so traffic coming into the router from VLAN 200 (inbound) you will now have traffic sourced from 10.51 and destined to 10.50 which will match your ACL.

ACL inbound and outbound is based on the L3 Routers view of the world so if you draw a router then anything coming into it from other parts of your network are Inbound while anything leaving it is considered outbound. ACL's can be applied on the interfaces to filter this traffic but the ACL rules will need to match the traffic as it would be where the ACL is applied. So your rule could work outbound if you flipped the source and destination fields of your ACL to match where the packet is coming from and where it is going.

-Alex
Alex! That worked sir! I was under the impression that "out" referred to anything going out of that interface vice versa with "in". Thank you very much for clearing that up for me. Perhaps you could help me with one more addition to that acl? To finish out, I need to allow vlan 200 to use a dns server on vlan 1. Here is what I have configured inbound vlan 200:

1: permit udp any range 67 68 any
2: permit udp any eq 53 any
3: permit tcp any eq 53 any
4: deny icmp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255 107
5: deny ip 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255 971
6: permit ip any any

Will 2 and 3 not allow any dns requests to flow from vlan 200 to vlan 1?
Userlevel 3
Hello Robert,

You will need to make a slight change to lines 2 and 3. Instead of "any eq 53 any" you should use "any any eq 53". Client to Server conversations tend to be from a randomized source port destined to a specific server port. So in this case you want any IP on any port destined to any IP on port 53 (permit udp ). You could also substitute the any fields with your 10.51 and 10.50 range. So it could be "permit udp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255 eq 53"

-Alex
Again, worked flawlessly. I can't thank you enough for the assitance you've given here. Thanks to you as well Erik.

Is the first part of this ACL working because clients send the dhcp discover/requests on port 68 instead of a random port? Just trying to clear all of this up in my head for future reference.

Reply