topic Missing Policy rule precedence for classification type "IP socket" in ExtremeCloud IQ- Site Engine Management Center

Missing Policy rule precedence for classification type "IP socket"

aloeffle — Thu, 30 Mar 2017 14:47:00 GMT

Dear all.

I need to reorder the default policy rule precedence in our setup.
Our goal is, that rules match "ip destination socket" are handeled before "ip destination" then "tcp port destination" rules.

udpdestportIP 53:10.0.0.10 mask 48 forward
ipdestsocket 10.0.0.0 mask 24 drop

Checking the default rule precedence, there is no parameter for "ip destination socket".

SSA Chassis(su)->show policy profile 5
...
Rule Precedence :1-2,29,3-19,23,20-22,25-28,31
:MACSource (1), MACDest (2), Application (29),
:IPXSource (3), IPXDest (4), IPXSrcSocket (5),
:IPXDstSocket (6), IPXClass (7), IPXType (8),
:IPv6Source (9), IPv6Dest (10), IPv6Flow (11),
:IPSource (12), IPDest (13), IPFrag (14),
:UDPSrcPort (15), UDPDestPort (16), TCPSrcPort (17),
:TCPDestPort (18), ICMPType (19), ICMP6Type (23),
:TTL (20), IPTOS (21), IPProto (22), Ether (25),
:LLCDSAPSSAP (26), VLANTag (27), TCI (28), Port (31)
Admin Profile Usage :ge.1.20
Oper Profile Usage :ge.1.20
Dynamic Profile Usage :none

Does anyone have an idea how to handle this?

EOS: 08.62.01.0034
EMC: 7.1.1.9

Thanks and best regards
Alex

RE: Missing Policy rule precedence for classification type "IP socket"

TylerMarcotte — Thu, 30 Mar 2017 20:03:00 GMT

Hi aloeffle,

Changing the policy precedence is generally discouraged. Could you explain your use case a bit more? Perhaps we can find a more elegant way to accomplish what you're looking to do.

Thanks,

Tyler

RE: Missing Policy rule precedence for classification type "IP socket"

Patrick_Koppen — Thu, 30 Mar 2017 22:35:00 GMT

Hi Alex,

IPDest (13) is what you are looking for...

S- K- and 7100-Series Configuration Guide Firmware Version 8.61

Table 155: Administrative Policy and Policy Rule Traffic Classifications

ipdestsocket Classifies based on destination IP address. 13

But there's no difference between ip destination and ip destination with post-fixed port.
Maybe it's help's that the ip destination rule has a shorter mask. So if you change the
precedence to 16,13,18 the order will be:

udpdestportIP(data: ab[:c.d.e.f]; mask 1-48) ipdestsocket (data: a.b.c.d[:ab]; mask: 1-48) tcpdestportIP (data: ab[:c.d.e.f]; mask: 1-48) Regards
Patrick

(edit: never change the rule precedence....)

RE: Missing Policy rule precedence for classification type "IP socket"

aloeffle — Mon, 03 Apr 2017 14:04:00 GMT

Dear Tyler, Patrick.

thanks for your help.
I notice, that I should find a different solution then changing the rule precedence.

My requirement is quiet basic.

Client Network "332" : 10.0.254.0/24
Clients should have Internet Access http & https
DNS & DHCP to internal network
No other communication

Internal Network: 10.0.40.0/24
Here we have the DHCP & DNS Server which serves Client Network 332.
And there are several other Server with http/https Web Management.

A Policy which

dns forward
arp forward
dhcp forward
http forward
ip drop

=> Clients can establish unwanted connections to the Web GUI of 3rd party Server in 10.0.40.0/24.

A Policy which

dns forward
arp forward
dhcp forward
http forward
10.0.40.0/24 drop

=> No more DNS/DHCP

Plan B:
With the recommendation not to change the precedence, I plan to apply an ACL which deny http traffic to the internal network.
(or changing the dns/dhcp design)

Best regards
Alexander

RE: Missing Policy rule precedence for classification type "IP socket"

TylerMarcotte — Mon, 03 Apr 2017 18:36:00 GMT

Alexander,

This is actually a quite common deployment. I'm not sure of the exact CLI syntax on the switch, but since you have Management Center anyway, I would always recommend configuring policy from there.

From Management Center, you would create a policy that is very similar to what you have. The main difference is that you would specify the servers that are running DHCP and DNS by either a dedicated IP address or by using an Automated service. The example I have below shows a single server that's running DHCP and DNS in the private network. That takes precedence over dropping the IP range of a the private network. So in essence the priority would be:

Allow DHCP to 10.0.40.100 (assumed server)
Allow DNS to 10.0.40.100
Deny IP to 10.0.40.0/24
Allow ARP
Allow HTTP
Allow HTTPS

Let me know if that helps. I can provide more screenshots if you'd like or I can export the PMD file as well.

Thanks,

Tyler

RE: Missing Policy rule precedence for classification type "IP socket"

aloeffle — Mon, 03 Apr 2017 19:57:00 GMT

Hello Tyler.

Thanks for your detailed explanation. I am familiar with emc.

I did some tests in my lab and I can confirm what you said. IP Socket Destination has precedence over IP destination. It is not necessary (and obviously not possible) to change the rule precedence.

Thanks for your help!

Best regards

Alexander

RE: Missing Policy rule precedence for classification type "IP socket"

bnfcorbett — Wed, 15 Jan 2020 16:55:00 GMT

Hello Tyler,

I am facing a similar problem to aloeffle and was hoping you could explain to me what you mean by the following sentence:

“The main difference is that you would specify the servers that are running DHCP and DNS by either a dedicated IP address or by using an Automated service.”

I have tried to put in a IP Socket Destination rule for our internal DNS but it is trumped by the IP Address Destination rule to deny access to the internal server LAN (where our DNS server resides).

Were you referring to an IP Socket destination or something else?

Thanks

Brian