topic RE: A little ACL help in ExtremeSwitching (EXOS/Switch Engine)

A little ACL help

Terren_Crider — Wed, 14 Feb 2018 06:00:00 GMT

I'm developing an ACL to allow guest use of certian resources on my network. In the end, the guest network will be its own subnet. So, I want to apply this ACL at the VLAN level. I've got the ACL working at the port level, but when I apply it to the VLAN nothing works...

Where might I be messing this up?

entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}

entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}

entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
deny;}
}

entry denyswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
} then {
deny;}
}

entry denylocalssh {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry sshmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}

entry allowdhcp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 67-68;
} then {
permit;}
}

entry allowdns {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}

entry allowntp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}

entry allowvncmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}

entry allowwinlogon {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port > 1024;
destination-address 10.0.66.220/32;
} then {
permit;}
}

#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}

#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}

#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}

entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPsinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPsinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPsinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry allowhttpinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}

entry allowhttpsinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}

entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}

RE: A little ACL help

Terren_Crider — Wed, 14 Feb 2018 06:03:00 GMT

Tried to make some code tags... but that didn't work for me, either.

RE: A little ACL help

George_Smith1 — Wed, 14 Feb 2018 06:23:00 GMT

Maybe in the

entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
d eny;}
}

There is a space in the “deny” that should not be there?

RE: A little ACL help

Terren_Crider — Wed, 14 Feb 2018 06:23:00 GMT

I don't have any undue spaces in the .pol file itself.

RE: A little ACL help

Terren_Crider — Wed, 14 Feb 2018 07:10:00 GMT

Is it possible to apply an ACL to a VLAN but exclude one port?

Edit: My thought here is that the VLAN in question in my lab setup is also on the uplink port of the switch.

RE: A little ACL help

tknv — Wed, 14 Feb 2018 07:23:00 GMT

Hi Terren,

I am not certain problems, but if early permit condition contain deny condition and earlier than the deny condition, that would be permitted. Thus deny first (better all deny condition) more safer.
If yet problem, please let us share exactly which packet should be deny/permit with us.

RE: A little ACL help

Terren_Crider — Thu, 15 Feb 2018 00:11:00 GMT

I have it working now. I'm still not sure what was getting blocked, but I added an entry to allow bidirectional traffic to my VLAN.

entry allowbidirectional {
if {
destination-address 10.0.99.0/24;
} then {
permit;}
}

This was added as the second to last entry, right above the denyall rule.

Edit: I also changed the order of some things. Like allowing DNS, DHCP, NTP at the top rather than in the middle.

RE: A little ACL help

tknv — Thu, 15 Feb 2018 00:11:00 GMT

Probably earlier entry blocked it. Can you share whole ACL .pol?

RE: A little ACL help

Stephane_Grosj1 — Thu, 15 Feb 2018 00:11:00 GMT

not sure if it applied here, but the difference when using VLAN for ACL is that it applies only to traffic entering the VLAN (not exiting it).

RE: A little ACL help

Terren_Crider — Thu, 15 Feb 2018 00:11:00 GMT

Here's the current working ACL. Without the second to last entry "allowbidirectional" it does not work.

entry allowDHCP {
if {
source-address 0.0.0.0/0;
pr otocol udp;
destination-port 67-68;
} then {
permit;}
}

entry allowDNS {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}

entry allowNTP {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}

entry allowVNCmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}

entry denylocalSSH {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry SSHmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
permit;}
}

entry allowNetSightin {
if {
source-address 10.0.200.216/32;
destination-address 10.0.99.200/32;
} then {
permit;}
}

entry allowNetSightout {
if {
source-address 10.0.99.200/32;
destination-address 10.0.200.216/32;
} then {
permit;}
}

entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}

entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}

entry denyHTTPswitch {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.200/32;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}

entry denyICMP {
if {
source-address 10.0.99.0/24;
protocol icmp;
} then {
deny;}
}

#entry allowwinlogon {
# if {
# source-address 10.0.99.0/24;
# protocol tcp;
# destination-port > 1024;
# destination-address 10.0.66.220/32;
# } then {
# permit;}
#}

#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}

#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}

#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}

entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPSinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPSinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPSinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry allowHTTPinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}

entry allowHTTPSinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}

entry allowbidirectional {
if {
destination-address 10.0.99.0/24;
} then {
permit;}
}

entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}

RE: A little ACL help

tknv — Thu, 15 Feb 2018 00:11:00 GMT

Thank you very much. I think a packet (to/from 10.0.0.0/8) is not match below should be permit. entry denylocalSSH { if { source-address 10.0.99.0/24; protocol tcp; destination-port 22; } then { deny;} } entry denyHTTPswitch { if { source-address 10.0.99.0/24; destination-address 10.0.99.200/32; protocol tcp; destination-port 80; } then { deny;} } entry denyHTTPswitch2 { if { source-address 10.0.99.0/24; destination-address 10.0.99.254/32; protocol tcp; destination-port 80; } then { deny;} } entry denyICMP { if { source-address 10.0.99.0/24; protocol icmp; } then { deny;} } entry denyHTTPinternal10 { if { destination-address 10.0.0.0/8; protocol tcp; destination-port 80; } then { deny;} } entry denyHTTPSinternal10 { if { destination-address 10.0.0.0/8; protocol tcp; destination-port 443; } then { deny;} } Please let me know if my understanding is wrong.
Can you share the packet that should be permitted but denied?