This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Legacy
- End of Service Products
- RE: N7 ACL Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
N7 ACL Issue
N7 ACL Issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-17-2016 06:38 PM
I've been asked to create a VLAN that will be used for a guest wireless network. I need to be able to access only the DHCP server on VLAN1 from this new VLAN. I'm trying to create an access-list on our Enterasys N7 Platinum that will do this. Here is what I have so far:
Vlan 1 - 10.50.0.0 255.255.128.0
Vlan 200 (New Vlan) - 10.51.0.0 255.255.252.0
On the N7:
interface vlan 1
ip address 10.50.2.1 255.255.128.0
no shutdown
interface vlan 200
ip address 10.51.0.1 255.255.252.0
ip helper-address 10.50.1.30
no shutdown
access-list 123 permit udp any range 67 68 any
access-list 123 deny ip any 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
access-list 123 permit ip any any
When I apply this outboud to interface vlan 200, it allows all traffic. I was under the impression (coming from a cisco background) that once a rule in an access list has been proccessed, it stops there. So, for intance, shouldn't any traffice denied by the second part of this access list be denied regardless of the last line of this access-list?
I've been struggling with this for a few days and would greatly appreciate any advice you guys could throw my way.
Vlan 1 - 10.50.0.0 255.255.128.0
Vlan 200 (New Vlan) - 10.51.0.0 255.255.252.0
On the N7:
interface vlan 1
ip address 10.50.2.1 255.255.128.0
no shutdown
interface vlan 200
ip address 10.51.0.1 255.255.252.0
ip helper-address 10.50.1.30
no shutdown
access-list 123 permit udp any range 67 68 any
access-list 123 deny ip any 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
access-list 123 permit ip any any
When I apply this outboud to interface vlan 200, it allows all traffic. I was under the impression (coming from a cisco background) that once a rule in an access list has been proccessed, it stops there. So, for intance, shouldn't any traffice denied by the second part of this access list be denied regardless of the last line of this access-list?
I've been struggling with this for a few days and would greatly appreciate any advice you guys could throw my way.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-20-2016 02:21 PM
Again, worked flawlessly. I can't thank you enough for the assitance you've given here. Thanks to you as well Erik.
Is the first part of this ACL working because clients send the dhcp discover/requests on port 68 instead of a random port? Just trying to clear all of this up in my head for future reference.
Is the first part of this ACL working because clients send the dhcp discover/requests on port 68 instead of a random port? Just trying to clear all of this up in my head for future reference.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-20-2016 02:06 PM
Hello Robert,
You will need to make a slight change to lines 2 and 3. Instead of "any eq 53 any" you should use "any any eq 53". Client to Server conversations tend to be from a randomized source port destined to a specific server port. So in this case you want any IP on any port destined to any IP on port 53 (permit udp ). You could also substitute the any fields with your 10.51 and 10.50 range. So it could be "permit udp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255 eq 53"
-Alex
You will need to make a slight change to lines 2 and 3. Instead of "any eq 53 any" you should use "any any eq 53". Client to Server conversations tend to be from a randomized source port destined to a specific server port. So in this case you want any IP on any port destined to any IP on port 53 (permit udp
-Alex
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-20-2016 01:30 PM
Alex! That worked sir! I was under the impression that "out" referred to anything going out of that interface vice versa with "in". Thank you very much for clearing that up for me. Perhaps you could help me with one more addition to that acl? To finish out, I need to allow vlan 200 to use a dns server on vlan 1. Here is what I have configured inbound vlan 200:
1: permit udp any range 67 68 any
2: permit udp any eq 53 any
3: permit tcp any eq 53 any
4: deny icmp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255 107
5: deny ip 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255 971
6: permit ip any any
Will 2 and 3 not allow any dns requests to flow from vlan 200 to vlan 1?
1: permit udp any range 67 68 any
2: permit udp any eq 53 any
3: permit tcp any eq 53 any
4: deny icmp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255 107
5: deny ip 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255 971
6: permit ip any any
Will 2 and 3 not allow any dns requests to flow from vlan 200 to vlan 1?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-20-2016 12:56 PM
Hello Robert,
Have you tried applying that rule inbound on vlan 200?
Based on that ACL it will block traffic sourced from 10.51 and destined to 10.50. So if you apply it outbound as you have you will not block anything because the traffic leaving the router and going into VLAN 200 (outbound) will be sourced from 10.50 and going to 10.51. If you apply it inbound so traffic coming into the router from VLAN 200 (inbound) you will now have traffic sourced from 10.51 and destined to 10.50 which will match your ACL.
ACL inbound and outbound is based on the L3 Routers view of the world so if you draw a router then anything coming into it from other parts of your network are Inbound while anything leaving it is considered outbound. ACL's can be applied on the interfaces to filter this traffic but the ACL rules will need to match the traffic as it would be where the ACL is applied. So your rule could work outbound if you flipped the source and destination fields of your ACL to match where the packet is coming from and where it is going.
-Alex
Have you tried applying that rule inbound on vlan 200?
Based on that ACL it will block traffic sourced from 10.51 and destined to 10.50. So if you apply it outbound as you have you will not block anything because the traffic leaving the router and going into VLAN 200 (outbound) will be sourced from 10.50 and going to 10.51. If you apply it inbound so traffic coming into the router from VLAN 200 (inbound) you will now have traffic sourced from 10.51 and destined to 10.50 which will match your ACL.
ACL inbound and outbound is based on the L3 Routers view of the world so if you draw a router then anything coming into it from other parts of your network are Inbound while anything leaving it is considered outbound. ACL's can be applied on the interfaces to filter this traffic but the ACL rules will need to match the traffic as it would be where the ACL is applied. So your rule could work outbound if you flipped the source and destination fields of your ACL to match where the packet is coming from and where it is going.
-Alex
