topic RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS in ExtremeSwitching (EOS)

OnePolicy "deny all" blocks STP on EXOS, but not on EOS

Erik_Auerswald — Mon, 16 Oct 2017 20:33:00 GMT

Hi,

when replacing EOS based access switches (e.g. S-Series) with EXOS based switches with OnePolicy support (e.g. X460-G2 or X440-G2), there is a difference in behavior if a deny all policy is used. On EOS, STP BPDUs are not blocked, but on EXOS they are blocked by the OnePolicy.

I have encountered this with a customer using a deny all default OnePolicy to drop traffic from unauthenticated devices. After authentication, legitimate devices are assigned a OnePolicy to allow desired communication (and a VLAN is assigned using the RFC 3580 method as well).

While it is documented that deny all EXOS ACLs drop all Layer 2 protocols, I was not aware that this was carried over to OnePolicy (and I did not check the documentation).

Another problem is how to allow STP BPDUs in the default policy. I see two obvious methods to recognize them:

By the destination MAC address of 01:80:C2:00:00:00
By the LLC DSAP of 0x42 and SSAP of 0x42

The first method should be supported on X460-G2 switches (according to show policy capabilities), but not on e.g. X440-G2. The second method is not supported by either X440-G2 nor X460-G2. Since we had X440-G2 in the lab, we could not test the first method when I was on-site (for a different task that had priority).

Has anybody encountered this problem before? How was it solved?

[Note: OnePolicy was just called Policy on EOS, but EXOS knew policy (.pol) files (also known as ACLs) as well. EXOS ACLs are more powerful than EXOS OnePolicies.]

Thanks,
Erik

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

M_Nees — Tue, 17 Oct 2017 02:24:00 GMT

Hi Erik,

i ran into the same problem!

I have a customers project with PEAP and EAP-TLS Authentication and a "Pre-Login" Policy which only allow some specific communications. After upgrade from EXOS 21.1.3 to EXOS 22.3.1.4 PEAP and EAP-TLS is not running anymore.

i opened a case.

Possible Solutions:
+ change Pre-Login Policy from PVID 0 (Deny All ) to PVID 4095 (allow All)
+ Enhance Pre-Login Policy with STP BPDU, EAPOL, ...
+ Waiting till EXOS 22.4.x which will change behaviour back as it was in 21.1.3

Allowing STP via 01:80:C2:00:00:00 on X440-G2 is possible if you do not try to use a variable mask - use ff:ff:ff:ff:ff:ff

Here an example:
configure policy profile 1 name "PC-PreAuth" pvid-status "enable" pvid 0
configure policy rule 1 macdest 01-80-C2-00-00-00 mask 48 forward
configure policy rule 1 ether 0x0806 mask 16 forward
configure policy rule 1 ether 0x8100 mask 16 forward
configure policy rule 1 ether 0x888E mask 16 forward
configure policy rule 1 ether 0x88CC mask 16 forward

Regards,
Matthias

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

Erik_Auerswald — Tue, 17 Oct 2017 02:24:00 GMT

Hi Matthias,

the macdest OnePolicy rule was not accepted on the X440-G2 in the lab. I tried it with the 48 bit mask only, because that is what needs to be matched. After this I checked with "show policy capabilit" what is supported, and destination MAC had no check mark.

Regards,
Erik

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

M_Nees — Tue, 17 Oct 2017 02:24:00 GMT

Do you work with recent EXOS firmware ? I am really sure that the above example works on customers system with X440-G2 with 22.3.1.4 firmware.

Regards

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

Erik_Auerswald — Tue, 17 Oct 2017 02:24:00 GMT

It should have been 22.3, but I am not totally sure, because we rebooted into an older firmware the verify that some Policy Manager issues were introduced by 22.3. We should have rebooted into 22.3 before the above mentioned tests, as far as I remember.

Thanks,
Erik

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

M_Nees — Wed, 13 Dec 2017 13:38:00 GMT

Issue is still existing in EXOS 22.4:

https://gtacknowledge.extremenetworks.com/articles/Solution/802-1X-Authentication-Fails-after-Reject...

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

Erik_Auerswald — Wed, 13 Dec 2017 13:38:00 GMT

Hi Matthias,

that is a new issue (EAPoL blocked by a DenyAll policy) that I have not seen in the wild yet, this worked before 22.3.1.4.

Thanks for pointing out this article!

Erik

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

Erik_Auerswald — Wed, 13 Dec 2017 13:38:00 GMT

There is another issue with regard to a DenyAll default policy:
Authenticated user FDB entry stay learned in the untagged vlan, and can't send traffic. That one is supposed to be fixed in 22.3, perhaps this "fix" introduced the new problem with EAPoL frames?

I do not like how this issue is progressing... 😞

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

Erik_Auerswald — Sun, 21 Jan 2018 00:47:00 GMT

Hi all,

I have heard a disturbing rumour (I have not received a direct confirmation from an Extreme representative) from a reliable source that the S-Series and K-Series firmware will be (or has been already) changed to break the often used DenyAll default rule with policies applied after authenticating end systems, just as it is broken on EXOS (see the first post of this thread).

To add insult to injury this change is supposed to be implemented without any mention in the Release Notes, breaking existing networks if new firmware is installed, without any chance for a warning in advance. Installing new firmware is often required to stay in compliance with regulations and contracts, including receiving support from Extreme Networks.

I do not want to believe this, but there is a certain logic to this ("EOS" always used a couple of undocumented exceptions to not break networks with a policy that denies "all" frames, while EXOS requires the user to manually allow what is needed for the network to function, see e.g. the issue from the post above or the Example ACL Rule Entries from the documentation).

Can anybody confirm this, or has seen this with current S-Series or K-Series firmware already?

Best regards,
Erik

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

Daniel_Coughlin — Sun, 21 Jan 2018 00:47:00 GMT

Erik,
I spoke with engineering about this rumor. They have not made changes to which protocols are still processed by EOS in the presence of a default drop rule in policy. They also stated that there is no plan to do so in the future.

RE: OnePolicy "deny all" blocks STP on EXOS, but not on EOS

Erik_Auerswald — Sun, 21 Jan 2018 00:47:00 GMT

Hi Daniel,

thanks for the info, that was the reply I hoped to get. 🙂

Erik