topic Re: EXOS dynamic ACL on VLAN not working. in ExtremeSwitching (EXOS/Switch Engine)

EXOS dynamic ACL on VLAN not working.

Rahman_Duran — Thu, 19 Sep 2019 13:39:32 GMT

Hi,

I want to permit selected subnets and deny all other subnets ingress traffic to our PBX vlan. I configured ACLs shown below. But I can still access to PBX VLAN (web pages of IP phones on PBX VLAN) from every where. What shoul be the problem?

PBX VLANs ip subnet is 10.150.101.0/24

Regards

Rahman

code:

create access-list santral-pbx-010 " source-address 10.242.2.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-020 " source-address 192.168.10.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-030 " source-address 192.168.1.44/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-040 " source-address 192.168.1.183/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-050 " source-address 10.50.0.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-060 " source-address 10.110.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-070 " source-address 10.120.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-080 " source-address 10.130.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-090 " source-address 10.141.26.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-100 " source-address 10.146.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-110 " source-address 10.150.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-120 " source-address 10.160.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-130 " source-address 10.111.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-deny " source-address 0.0.0.0/0 ; destination-address 10.150.101.0/24 ;" " deny ;" application "Cli"



configure access-list add santral-pbx-010 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-020 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-030 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-040 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-050 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-060 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-070 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-080 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-090 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-100 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-110 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-120 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-130 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-deny last priority 0 zone SYSTEM vlan Santral-PBX ingress

Re: EXOS dynamic ACL on VLAN not working.

Rahman_Duran — Wed, 25 Sep 2019 19:06:55 GMT

Hi,

I just deleted all the dynamic acl rules and created a policy file: "santral-pbx.pol"

code:

entry santralpbx-allowed-networks-01 {
        if match all {
                source-address 10.242.2.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-02 {
        if match all {
                source-address 192.168.10.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-03 {
        if match all {
                source-address 192.168.1.44/32;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-04 {
        if match all {
                source-address 192.168.1.183/32;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-05 {
        if match all {
                source-address 10.50.0.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-06 {
        if match all {
                source-address 10.110.101.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-07 {
        if match all {
                source-address 10.120.101.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-08 {
        if match all {
                source-address 10.130.101.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-09 {
        if match all {
                source-address 10.141.26.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-10 {
        if match all {
                source-address 10.146.101.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-11 {
        if match all {
                source-address 10.150.101.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-12 {
        if match all {
                source-address 10.160.101.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-allowed-networks-13 {
        if match all {
                source-address 10.111.101.0/24;
                destination-address 10.150.101.0/24;
        } then {
                permit;
                count santralpbx-permit-count;
        }
}


entry santralpbx-deny-all {
        if {
                source-address 0.0.0.0/0;
                destination-address 10.150.101.0/24;
        } then {
                deny;
                count santralpbx-deny-count;
        }
}

As you see I permitted some subnets and at the end denied all sources. I applied this policy to ingress of vlan "Santral-PBX":

code:

configure access-list santral-pbx vlan "Santral-PBX" ingress

But I can still ping and open web gui of ip phones from every where. It does not deny traffic as it should. When I look to counter statistics it shows like this:

code:

SAVSAT-METRO.3 # show access-list counter ingress
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
santral-pbx       Santral-PBX      *      ingress
    santralpbx-deny-count          0
    santralpbx-permit-count        11431

Any idea why it does not work? Should I apply the policy file to all ports instead of VLAN?

Regards,

Rahman

Re: EXOS dynamic ACL on VLAN not working.

Erik_Auerswald — Wed, 25 Sep 2019 22:35:27 GMT

Hi,

I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.

You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).

On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).

Thanks,
Erik

Re: EXOS dynamic ACL on VLAN not working.

Rahman_Duran — Thu, 26 Sep 2019 12:45:27 GMT

Hi Erik,

Thanks for the suggestion, I will try it and report back if it woks.

Every example I saw on community hub and GTAC suggested to apply ACL to ingress of the VLANs. I read whole documentation of EXOS on ACLs a few time already. I think documentation needs some clarification on "which traffic is ingress to VLAN and which is egress from VLAN". It is not very clear.

When I read the documentation I understand "traffic routed to the VLAN is ingress traffic for that VLAN" and "traffic originating from VLAN and routed to other VLANs egress traffic for that VLAN".

Regards,

Rahman

Re: EXOS dynamic ACL on VLAN not working.

FredrikB — Thu, 26 Sep 2019 19:29:16 GMT

Ingress and egress can be confusing, especially with VLANs. Ingress to a VLAN means packets coming in on a port that is a member of that VLAN, tagged or not. I honestly don't know if a packet that is being routed from another VLAN and then passes a certain VLAN is actually considered as ingressing that VLAN, but I don't think so as it is actually rather egressing the port and hence it is considered egressing the VLAN.

It should be fairly simple to find out by applying your policy on ingress on some other VLAN that is supposed to be blocked by the policy.

/Fredrik

Re: EXOS dynamic ACL on VLAN not working.

Rahman_Duran — Fri, 27 Sep 2019 13:17:39 GMT

Hi,

@Erik Auerswald

@FredrikB thank you both for your helps. Applying the ACL to the egress of the PBX VLAN solved the issue.

I still think EXOS documentation needs more polishing and more examples about the routed traffic directions about VLANs.

Regards,

Rahman

Re: EXOS dynamic ACL on VLAN not working.

FredrikB — Fri, 27 Sep 2019 13:39:08 GMT

"I still think EXOS documentation needs more polishing and more examples about the routed traffic directions about VLANs."

I agree. Either more real-world examples in the user guide or a reference to a collection of such examples on the web would be very helpful. Sadly, this seems to be a hard nut for Extreme to crack, probably due to unwillingness to put out examples that may break in future releases, ending up in support cases where customers want this or that example to work in their environment. I guess that's what this forum is supposed to address to some extent.

Re: EXOS dynamic ACL on VLAN not working.

bcyrus — Fri, 01 Oct 2021 22:55:16 GMT

OMGOMG I feel as confused as possible coming from Cisco. Ingress/Egress rattle my thinking and blocks me from the correct command syntax.