This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forÂ
- Extreme Networks
- Community List
- Network Management & Authentication
- ExtremeCloud IQ- Site Engine Management Center
- RE: Rules with Policy not working as intended
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Rules with Policy not working as intended
Rules with Policy not working as intended
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-14-2018 12:23 PM
I have the following setup for testing purposes which i am unable to get working properly. i might be doing something wrong but i dont see what.
I have a role in Policy which i named LAB-CORP-ROLE. Clients logging in with dot1x (LAN and WLAN) get the proper Role. With this role i have defined a few basic rules:
I am testing this with LAN, i know we have to manualy rearrange the rules in the EWC, which is realy stupid, but that's my honest opinion...
The role is Contain to vlan, I think this has a implicit permit at the bottom of the rules?
i then allow: Base Services, the predefined ones: Permit IP ARP, BootP Server and DNS.
I created another rules which i called deny RFC's. I want to block all traffic to internal IP adresses and allow DNS, DHCP and ARP.
The client does get an IP but is unable to resolve DNS to an internal DNS server, even while ill explicitly allow udp 53 (to all ip's i suppose) If i add a permit to the IP of the internal DNS server it works fine. This is not what i want to do. I hope i made myself clear and i also hope someone here might be able to tell me what i am doing wrong.
I also tried to change the Access control on this role to Permit and then add the vlan to vlan Egress tab (untagged ofcourse) I can then see the switchport does get the untagged vlan on that port but ni mac adresses are being learned... Seems like a bug as well? Am i doing something wrong?
Kind regards!
I have a role in Policy which i named LAB-CORP-ROLE. Clients logging in with dot1x (LAN and WLAN) get the proper Role. With this role i have defined a few basic rules:
I am testing this with LAN, i know we have to manualy rearrange the rules in the EWC, which is realy stupid, but that's my honest opinion...
The role is Contain to vlan, I think this has a implicit permit at the bottom of the rules?
i then allow: Base Services, the predefined ones: Permit IP ARP, BootP Server and DNS.
I created another rules which i called deny RFC's. I want to block all traffic to internal IP adresses and allow DNS, DHCP and ARP.
The client does get an IP but is unable to resolve DNS to an internal DNS server, even while ill explicitly allow udp 53 (to all ip's i suppose) If i add a permit to the IP of the internal DNS server it works fine. This is not what i want to do. I hope i made myself clear and i also hope someone here might be able to tell me what i am doing wrong.
I also tried to change the Access control on this role to Permit and then add the vlan to vlan Egress tab (untagged ofcourse) I can then see the switchport does get the untagged vlan on that port but ni mac adresses are being learned... Seems like a bug as well? Am i doing something wrong?
Kind regards!
17 REPLIES 17
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-14-2018 12:46 PM
Wired policy has always been fun in trying to do a locked down policy, and having to block internal addresses and allow certain services internally. It comes down to precedence. A deny takes precedence over an allow. However an IP address has higher precedence than a port. So when you allow the ip address it works. Probably not the answer you are looking for, but that is what I've run into. Would be nice to be able to sort the precedence like you can on a wireless controller.
Here is a GTAC article on precedence. https://gtacknowledge.extremenetworks.com/articles/Q_A/What-Are-the-OnePolicy-Rule-Precedences-for-E...
Here is a GTAC article on precedence. https://gtacknowledge.extremenetworks.com/articles/Q_A/What-Are-the-OnePolicy-Rule-Precedences-for-E...
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-14-2018 12:46 PM
Hi Brian,
I tried this while adding the IP of the DNS server but to no avail.
I tried this while adding the IP of the DNS server but to no avail.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-14-2018 12:46 PM
With wired policy the dhcp packet gets out before policy is applied, so the device gets an IP address regardless if you set dhcp to deny or not. Been there, tried that 
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-14-2018 12:46 PM
I can try, but why would DHCP work then? Thats UDP as well just as DNS is? Does not make any sense if this would make any difference 😉
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-14-2018 12:46 PM
Here is something I found that may help, specify the IP address with socket destination. https://community.extremenetworks.com/extreme/topics/missing-policy-rule-precedence-for-classificati...
