Extreme Networks

Erik_Auerswald · ‎10-16-2017

Hi,

when replacing EOS based access switches (e.g. S-Series) with EXOS based switches with OnePolicy support (e.g. X460-G2 or X440-G2), there is a difference in behavior if a deny all policy is used. On EOS, STP BPDUs are not blocked, but on EXOS they are blocked by the OnePolicy.

I have encountered this with a customer using a deny all default OnePolicy to drop traffic from unauthenticated devices. After authentication, legitimate devices are assigned a OnePolicy to allow desired communication (and a VLAN is assigned using the RFC 3580 method as well).

While it is documented that deny all EXOS ACLs drop all Layer 2 protocols, I was not aware that this was carried over to OnePolicy (and I did not check the documentation).

Another problem is how to allow STP BPDUs in the default policy. I see two obvious methods to recognize them:

By the destination MAC address of 01:80:C2:00:00:00
By the LLC DSAP of 0x42 and SSAP of 0x42

The first method should be supported on X460-G2 switches (according to show policy capabilities), but not on e.g. X440-G2. The second method is not supported by either X440-G2 nor X460-G2. Since we had X440-G2 in the lab, we could not test the first method when I was on-site (for a different task that had priority).

Has anybody encountered this problem before? How was it solved?

[Note: OnePolicy was just called Policy on EOS, but EXOS knew policy (.pol) files (also known as ACLs) as well. EXOS ACLs are more powerful than EXOS OnePolicies.]

Thanks,
Erik

Erik_Auerswald · ‎12-13-2017

There is another issue with regard to a DenyAll default policy:
Authenticated user FDB entry stay learned in the untagged vlan, and can't send traffic. That one is supposed to be fixed in 22.3, perhaps this "fix" introduced the new problem with EAPoL frames?

I do not like how this issue is progressing... 😞

Erik_Auerswald · ‎12-13-2017

Hi Matthias,

that is a new issue (EAPoL blocked by a DenyAll policy) that I have not seen in the wild yet, this worked before 22.3.1.4.

Thanks for pointing out this article!

Erik

M_Nees · ‎10-16-2017

Hi Erik,

i ran into the same problem!

I have a customers project with PEAP and EAP-TLS Authentication and a "Pre-Login" Policy which only allow some specific communications. After upgrade from EXOS 21.1.3 to EXOS 22.3.1.4 PEAP and EAP-TLS is not running anymore.

i opened a case.

Possible Solutions:
+ change Pre-Login Policy from PVID 0 (Deny All ) to PVID 4095 (allow All)
+ Enhance Pre-Login Policy with STP BPDU, EAPOL, ...
+ Waiting till EXOS 22.4.x which will change behaviour back as it was in 21.1.3

Allowing STP via 01:80:C2:00:00:00 on X440-G2 is possible if you do not try to use a variable mask - use ff:ff:ff:ff:ff:ff

Here an example:
configure policy profile 1 name "PC-PreAuth" pvid-status "enable" pvid 0
configure policy rule 1 macdest 01-80-C2-00-00-00 mask 48 forward
configure policy rule 1 ether 0x0806 mask 16 forward
configure policy rule 1 ether 0x8100 mask 16 forward
configure policy rule 1 ether 0x888E mask 16 forward
configure policy rule 1 ether 0x88CC mask 16 forward

Regards,
Matthias

Erik_Auerswald · ‎10-16-2017

It should have been 22.3, but I am not totally sure, because we rebooted into an older firmware the verify that some Policy Manager issues were introduced by 22.3. We should have rebooted into 22.3 before the above mentioned tests, as far as I remember.

Thanks,
Erik

M_Nees · ‎10-16-2017

Do you work with recent EXOS firmware ? I am really sure that the above example works on customers system with X440-G2 with 22.3.1.4 firmware.

Regards

Extreme Networks

OnePolicy "deny all" blocks STP on EXOS, but not on EOS

OnePolicy "deny all" blocks STP on EXOS, but not on EOS