topic RE: Policy to deny access to internal networks but allow access externally not working in ExtremeCloud IQ- Site Engine Management Center

Policy to deny access to internal networks but allow access externally not working

Brian_Anderson — Mon, 21 May 2018 23:52:00 GMT

Working with Exos, S-series router and Policy Manager.

Currently working with a customer, and I've setup a policy to deny 10.0.0.0/8 but allow 10.0.0.0/24. Precedence shows this should work. I also have allow DNS, DHCP and ARP. In the past with EOS, allow ARP allows the workstation to access the network via the gateway. I believe the workstation just arps up its gateway and uses the mac address for network access. I can't get that to work on EXOS. I've setup a rule to allow to the mac address of the s-series and that works, however I'm able to access everything on the 10 network that I've setup as a deny. Same result when I just allow the IP address of the gateway of the workstation (10.190.0.1). Has anybody setup this type of scenario with EXOS? I've got a case open, and they are looking at the switching side of things being the cause. I've upgraded to the latest code on the EXOS and still doesn't work. Just seeing if anybody else has run into this before and if there is a solution before I go down the ACL road. Thanks.

RE: Policy to deny access to internal networks but allow access externally not working

Sushruth_Sathya — Sun, 27 May 2018 19:09:00 GMT

Hi Brian, could you share the ACL that you have applied. #show policy

RE: Policy to deny access to internal networks but allow access externally not working

Brian_Anderson — Tue, 29 May 2018 23:27:00 GMT

I don't have ACLs currently in place. That is probably the solution I'll have to go with, unfortunately. Haven't heard any progress from GTAC side yet.

RE: Policy to deny access to internal networks but allow access externally not working

Brian_Anderson1 — Thu, 12 Jul 2018 19:18:00 GMT

FYI, received a response from GTAC, v22.5.1.7 is supposed to work. I haven't had a chance to test yet.

RE: Policy to deny access to internal networks but allow access externally not working

TRC_Sysadmins — Mon, 26 Oct 2020 13:05:00 GMT

We are on v22.6.1.4-patch 1. Trying to get the same sort of policy set up that allows PCs to get to the internet but not the internal networks (for some IoT types). This thread looked promising but there is no solution posted. Did you ever get this to work? If so - please share

RE: Policy to deny access to internal networks but allow access externally not working

Brian_Anderson1 — Tue, 27 Oct 2020 03:23:00 GMT

Not sure. The customer never got back with me on the test switch we were working with. However GTAC had tested with the updated firmware successfully. Sometimes the firmware bug fixes don’t make it across firmware forks immediately. I would try the 22.5.1.7 latest patch and see if that works for you.

On your policy I would block all internal network access and just allow ports such as DHCP and DNS, that should get you internet access without internal access.