topic Re: ACL on G2 to only allow one IP address to connect in ExtremeSwitching (EXOS/Switch Engine)

ACL on G2 to only allow one IP address to connect

dj_mcadams — Thu, 03 Dec 2020 01:31:02 GMT

I need to restrict access to my IP cameras from one IP which is 10.10.10.104/24

I have 8 IP cameras and I’m just trying to get this working with one for now.I have the following to allow it and that obviously works, but I cant figure out the else if/else syntax. I’d like to just have the below and add else { deny;} but it doesn't work. Thoughts?

entry IPCameraACL{
if match all {
source-address 10.10.10.104/32 ;
destination-address 10.10.10.52/32 ;
} then {
permit ;
}

Re: ACL on G2 to only allow one IP address to connect

Stefan_K_ — Thu, 03 Dec 2020 01:35:42 GMT

Greetings,

entry IPCameraACL_deny{
if match all {
destination-address 10.10.10.52/32 ;
} then {
deny;
}

Make sure to also allow the other way round (from 10.10.10.52/32 to 10.10.10.104/32) with another entry before the deny entry.. The Switch isn’t a stateful inspection firewall.

Re: ACL on G2 to only allow one IP address to connect

dj_mcadams — Thu, 03 Dec 2020 01:38:39 GMT

Thank you! What if I have multiple destination IPs? Do I have to drop the match all? Or do anything else? I only want 10.10.10.104/32 to be able to connect to these IPs and no other source IP.

entry IPCameraACL_deny{
if match all {
destination-address 10.10.10.52/32 ;

destination-address 10.10.10.53/32 ;

destination-address 10.10.10.54/32 ;

destination-address 10.10.10.55/32 ;
} then {
deny;
}

Re: ACL on G2 to only allow one IP address to connect

dj_mcadams — Thu, 03 Dec 2020 03:18:28 GMT

I got this working using the following. The server is 10.10.16.104/32 and the network I wanted to lockdown is 10.10.10.0/24 so only the server can access this network:

entry IPCameraACL_Allow
{
if match all
{
source-address 10.10.16.104/32 ;
destination-address 10.10.10.0/24 ;
}
then
{
permit;
}
}

entry IPCameraACL_Deny
{
if match all
{
destination-address 10.10.10.0/24 ;
}
then
{
deny;
}
}