topic Re: Troubleshoot an RDP ACL in ExtremeSwitching (EXOS/Switch Engine)

Troubleshoot an RDP ACL

Abhishek_Potdar — Wed, 11 May 2022 08:15:07 GMT

Hello All,

I am trying to create an ACL where certain subnets can RDP "port 3389" into a different subnet's hosts. While other devices can't RDP to that certain subnet. I am pasting the ACL, I have created. Basically, 10.8.7.X subnet should be able to RDP into 10.18.111.X subnet using port 3389. while other subnets should get denied.
I have applied the policy to the uplink port along with the 10.18.111.X vlan but with no luck, seems like the policy is ignoring my deny rules. What am I missing here?

Policies at Policy Server:
Policy: rdp
entry RDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

Re: Troubleshoot an RDP ACL

CThompsonEXOS — Wed, 11 May 2022 15:53:06 GMT

Hi,

Can you apply counters to both ACLs and then "refresh policy <policy name>"?

That will see which rule they are hitting. ACLs are done in hardware so generally we see that the traffic isn't flowing how we think it is rather then ACLs ignoring entries/deny statements.

Thanks,
Chris Thompson

Re: Troubleshoot an RDP ACL

Abhishek_Potdar — Wed, 11 May 2022 17:59:12 GMT

Updated the policy to add counters
entry rDP-allow {
if match all {
source-address 10.8.7.0/24 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
permit ;
count allow_acl ;
}
}
entry default-deny {
if match all {
source-address 0.0.0.0/0 ;
destination-address 10.18.111.0/24 ;
protocol tcp ;
source-port tcp ;
destination-port 3389 ;
}
then {
deny ;
count deny_acl ;
}
}
Number of clients bound to policy: 1
Client: acl bound once

Applied the policy to any port any vlan yet the counter number is not increasing?

DR-Core.4 # show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
===================================================================
* * rdp ingress 2 0
* * rdp egress 2 0

DR-Core.4 # show access-list counter
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
rdp * * ingress
allow_acl 0
deny_acl 0

Re: Troubleshoot an RDP ACL

AdrianO — Thu, 12 May 2022 13:51:32 GMT

I don´t think that "source-port tcp;" is correct. With the "protocol tcp;" condition is sufficient.

Re: Troubleshoot an RDP ACL

Gabriel_G — Fri, 13 May 2022 16:28:34 GMT

Hello,

source-port tcp is not a valid match condition. You can find all possible match conditions and their inputs in the EXOS User Guide page 769:
https://documentation.extremenetworks.com/exos_31.7/downloads/EXOS_User_Guide_31.7.pdf