This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Legacy
- End of Service Products
- N7 ACL Issue
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
N7 ACL Issue
N7 ACL Issue
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-17-2016 06:38 PM
I've been asked to create a VLAN that will be used for a guest wireless network. I need to be able to access only the DHCP server on VLAN1 from this new VLAN. I'm trying to create an access-list on our Enterasys N7 Platinum that will do this. Here is what I have so far:
Vlan 1 - 10.50.0.0 255.255.128.0
Vlan 200 (New Vlan) - 10.51.0.0 255.255.252.0
On the N7:
interface vlan 1
ip address 10.50.2.1 255.255.128.0
no shutdown
interface vlan 200
ip address 10.51.0.1 255.255.252.0
ip helper-address 10.50.1.30
no shutdown
access-list 123 permit udp any range 67 68 any
access-list 123 deny ip any 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
access-list 123 permit ip any any
When I apply this outboud to interface vlan 200, it allows all traffic. I was under the impression (coming from a cisco background) that once a rule in an access list has been proccessed, it stops there. So, for intance, shouldn't any traffice denied by the second part of this access list be denied regardless of the last line of this access-list?
I've been struggling with this for a few days and would greatly appreciate any advice you guys could throw my way.
Vlan 1 - 10.50.0.0 255.255.128.0
Vlan 200 (New Vlan) - 10.51.0.0 255.255.252.0
On the N7:
interface vlan 1
ip address 10.50.2.1 255.255.128.0
no shutdown
interface vlan 200
ip address 10.51.0.1 255.255.252.0
ip helper-address 10.50.1.30
no shutdown
access-list 123 permit udp any range 67 68 any
access-list 123 deny ip any 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
access-list 123 permit ip any any
When I apply this outboud to interface vlan 200, it allows all traffic. I was under the impression (coming from a cisco background) that once a rule in an access list has been proccessed, it stops there. So, for intance, shouldn't any traffice denied by the second part of this access list be denied regardless of the last line of this access-list?
I've been struggling with this for a few days and would greatly appreciate any advice you guys could throw my way.
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-20-2016 12:50 PM
Ok awesome! deny icmp any 10.50.0.0 0.0.127.255 worked for that instance
I got a little confused in where the packets were coming from (again, been working on this for a few days now and it's all starting to run together).
Here is what I have now:
Extended IP access list 126
1: permit udp any range 67 68 any
2: deny icmp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
3: deny ip 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
4: permit ip any any
If applied outbound on interface vlan 200, shouldn't this allow me to grab a DHCP address from the server that's on vlan 1, but deny the rest of traffic sourced from vlan 200 destined for vlan 1?
If so, with this rule applied, it's still allowing me to ping devices on vlan 1 from vlan 200 and access file shares as well.
I feel like I'm so close to having this thing whipped and really appreciate all input from you guys so far.
I got a little confused in where the packets were coming from (again, been working on this for a few days now and it's all starting to run together).
Here is what I have now:
Extended IP access list 126
1: permit udp any range 67 68 any
2: deny icmp 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
3: deny ip 10.51.0.0 0.0.3.255 10.50.0.0 0.0.127.255
4: permit ip any any
If applied outbound on interface vlan 200, shouldn't this allow me to grab a DHCP address from the server that's on vlan 1, but deny the rest of traffic sourced from vlan 200 destined for vlan 1?
If so, with this rule applied, it's still allowing me to ping devices on vlan 1 from vlan 200 and access file shares as well.
I feel like I'm so close to having this thing whipped and really appreciate all input from you guys so far.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-20-2016 12:26 PM
Hello Robert,
The ACL 150 you provided in your last post will prevent ICMP traffic coming into the VLAN 200 router interface sourced from the 10.50.0.0 range going anywhere.
Instead I'd suggest using "deny icmp any 10.50.0.0 0.0.127.255" in place of your "deny icmp 10.50.0.0 0.0.127.255 any" This will deny any traffic destined to the 10.50.0.0/17 range and would be applied inbound on VLAN 200.
If you wanted to deny all icmp traffic to the 10.50.0.0/17 range you could also apply the same ACL outbound on VLAN 1 as it would still match and drop packets destined to the 10.50.0.0 range.
As Eric suggested sometimes drawing out the data path can help identifying where to place ACL's and how to craft them.
For additional reading we also have a ACL section in our configuration guides. http://documentation.extremenetworks.com/EOS_Config/S-K-Series/S-K-7100_Configuration_Guide/c_ACL_Ru...
-Alex
The ACL 150 you provided in your last post will prevent ICMP traffic coming into the VLAN 200 router interface sourced from the 10.50.0.0 range going anywhere.
Instead I'd suggest using "deny icmp any 10.50.0.0 0.0.127.255" in place of your "deny icmp 10.50.0.0 0.0.127.255 any" This will deny any traffic destined to the 10.50.0.0/17 range and would be applied inbound on VLAN 200.
If you wanted to deny all icmp traffic to the 10.50.0.0/17 range you could also apply the same ACL outbound on VLAN 1 as it would still match and drop packets destined to the 10.50.0.0 range.
As Eric suggested sometimes drawing out the data path can help identifying where to place ACL's and how to craft them.
For additional reading we also have a ACL section in our configuration guides. http://documentation.extremenetworks.com/EOS_Config/S-K-Series/S-K-7100_Configuration_Guide/c_ACL_Ru...
-Alex
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-20-2016 12:22 PM
Hello Robert,
packets with a source address in 10.50.0.0/17 will not enter the SVI Vlan 200, unless the end systems in VLAN 200 spoof the sender IP addresses. Thus you ACL 150 does not deny any packets.
You might want to try the following ACL as a starting point:
access-list 101 deny icmp any 10.50.0.0 0.0.127.255 access-list 101 allow ip any any interface vlan 200 ip access-group 101 in That denies ICMP packets sent from VLAN 200 to the IP range of VLAN 1.
Best regards,
Erik
packets with a source address in 10.50.0.0/17 will not enter the SVI Vlan 200, unless the end systems in VLAN 200 spoof the sender IP addresses. Thus you ACL 150 does not deny any packets.
You might want to try the following ACL as a starting point:
access-list 101 deny icmp any 10.50.0.0 0.0.127.255 access-list 101 allow ip any any interface vlan 200 ip access-group 101 in That denies ICMP packets sent from VLAN 200 to the IP range of VLAN 1.
Best regards,
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-20-2016 12:13 PM
Something as simple as the following doesn't work:
access-list 150 deny icmp 10.50.0.0 0.0.127.255 any
access-list 150 permit ip any any
Applied inbound on interface vlan 200, still allows pings from vlan 1. What am I missing here?
access-list 150 deny icmp 10.50.0.0 0.0.127.255 any
access-list 150 permit ip any any
Applied inbound on interface vlan 200, still allows pings from vlan 1. What am I missing here?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-20-2016 04:55 AM
Hello Robert,
you are correct that the EOS router ACL is processed from the top down, stopping at the first match, with an implicit deny at the end. Just like a Cisco IOS router ACL.
If you bind ACL 123 outgoing on interface vlan 200 you will deny any traffic with an IP address from VLAN 200 oroginating outside of that VLAN to be routed into the VLAN. That would be an anti-spoofing ACL.
As far as I understand, you intend to block traffic originating in VLAN 200 to reach 10.50.0.0/17. To do that, you would need to bind the ACL inbound in VLAN 200.
I recommend drawing a simple diagram with just the relevant router interfaces to plan ACL deployment. Especially with multilayer switches and Switched Virtual Interfaces it is not that easy to understand which packets are affected by an ACL.
Best regards,
Erik
you are correct that the EOS router ACL is processed from the top down, stopping at the first match, with an implicit deny at the end. Just like a Cisco IOS router ACL.
If you bind ACL 123 outgoing on interface vlan 200 you will deny any traffic with an IP address from VLAN 200 oroginating outside of that VLAN to be routed into the VLAN. That would be an anti-spoofing ACL.
As far as I understand, you intend to block traffic originating in VLAN 200 to reach 10.50.0.0/17. To do that, you would need to bind the ACL inbound in VLAN 200.
I recommend drawing a simple diagram with just the relevant router interfaces to plan ACL deployment. Especially with multilayer switches and Switched Virtual Interfaces it is not that easy to understand which packets are affected by an ACL.
Best regards,
Erik
