cancel
Showing results for 
Search instead for 
Did you mean: 

N7 ACL Issue

N7 ACL Issue

Robert_Lawrence
New Contributor
I've been asked to create a VLAN that will be used for a guest wireless network. I need to be able to access only the DHCP server on VLAN1 from this new VLAN. I'm trying to create an access-list on our Enterasys N7 Platinum that will do this. Here is what I have so far:

Vlan 1 - 10.50.0.0 255.255.128.0
Vlan 200 (New Vlan) - 10.51.0.0 255.255.252.0

On the N7:

interface vlan 1

ip address 10.50.2.1 255.255.128.0

no shutdown

interface vlan 200

ip address 10.51.0.1 255.255.252.0

ip helper-address 10.50.1.30

no shutdown

access-list 123 permit udp any range 67 68 any
access-list 123 deny ip any 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
access-list 123 permit ip any any

When I apply this outboud to interface vlan 200, it allows all traffic. I was under the impression (coming from a cisco background) that once a rule in an access list has been proccessed, it stops there. So, for intance, shouldn't any traffice denied by the second part of this access list be denied regardless of the last line of this access-list?

I've been struggling with this for a few days and would greatly appreciate any advice you guys could throw my way.

10 REPLIES 10

Robert_Lawrence
New Contributor
Ok awesome! deny icmp any 10.50.0.0 0.0.127.255 worked for that instance

I got a little confused in where the packets were coming from (again, been working on this for a few days now and it's all starting to run together).

Here is what I have now:

Extended IP access list 126
1: permit udp any range 67 68 any
2: deny icmp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
3: deny ip 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
4: permit ip any any

If applied outbound on interface vlan 200, shouldn't this allow me to grab a DHCP address from the server that's on vlan 1, but deny the rest of traffic sourced from vlan 200 destined for vlan 1?

If so, with this rule applied, it's still allowing me to ping devices on vlan 1 from vlan 200 and access file shares as well.

I feel like I'm so close to having this thing whipped and really appreciate all input from you guys so far.

Alex24
Extreme Employee
Hello Robert,

The ACL 150 you provided in your last post will prevent ICMP traffic coming into the VLAN 200 router interface sourced from the 10.50.0.0 range going anywhere.

Instead I'd suggest using "deny icmp any 10.50.0.0 0.0.127.255" in place of your "deny icmp 10.50.0.0 0.0.127.255 any" This will deny any traffic destined to the 10.50.0.0/17 range and would be applied inbound on VLAN 200.

If you wanted to deny all icmp traffic to the 10.50.0.0/17 range you could also apply the same ACL outbound on VLAN 1 as it would still match and drop packets destined to the 10.50.0.0 range.

As Eric suggested sometimes drawing out the data path can help identifying where to place ACL's and how to craft them.

For additional reading we also have a ACL section in our configuration guides. http://documentation.extremenetworks.com/EOS_Config/S-K-Series/S-K-7100_Configuration_Guide/c_ACL_Ru...

-Alex

Erik_Auerswald
Contributor II
Hello Robert,

packets with a source address in 10.50.0.0/17 will not enter the SVI Vlan 200, unless the end systems in VLAN 200 spoof the sender IP addresses. Thus you ACL 150 does not deny any packets.

You might want to try the following ACL as a starting point:
access-list 101 deny icmp any 10.50.0.0 0.0.127.255 access-list 101 allow ip any any interface vlan 200 ip access-group 101 in That denies ICMP packets sent from VLAN 200 to the IP range of VLAN 1.

Best regards,
Erik

Robert_Lawrence
New Contributor
Something as simple as the following doesn't work:

access-list 150 deny icmp 10.50.0.0 0.0.127.255 any
access-list 150 permit ip any any

Applied inbound on interface vlan 200, still allows pings from vlan 1. What am I missing here?

Erik_Auerswald
Contributor II
Hello Robert,

you are correct that the EOS router ACL is processed from the top down, stopping at the first match, with an implicit deny at the end. Just like a Cisco IOS router ACL.

If you bind ACL 123 outgoing on interface vlan 200 you will deny any traffic with an IP address from VLAN 200 oroginating outside of that VLAN to be routed into the VLAN. That would be an anti-spoofing ACL.

As far as I understand, you intend to block traffic originating in VLAN 200 to reach 10.50.0.0/17. To do that, you would need to bind the ACL inbound in VLAN 200.

I recommend drawing a simple diagram with just the relevant router interfaces to plan ACL deployment. Especially with multilayer switches and Switched Virtual Interfaces it is not that easy to understand which packets are affected by an ACL.

Best regards,
Erik
GTM-P2G8KFN