Extreme Networks

Terren_Crider · ‎02-13-2018

I'm developing an ACL to allow guest use of certian resources on my network. In the end, the guest network will be its own subnet. So, I want to apply this ACL at the VLAN level. I've got the ACL working at the port level, but when I apply it to the VLAN nothing works...

Where might I be messing this up?

entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}

entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}

entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
deny;}
}

entry denyswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
} then {
deny;}
}

entry denylocalssh {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry sshmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}

entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}

entry allowdhcp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 67-68;
} then {
permit;}
}

entry allowdns {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}

entry allowntp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}

entry allowvncmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}

entry allowwinlogon {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port > 1024;
destination-address 10.0.66.220/32;
} then {
permit;}
}

#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}

#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}

#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}

entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}

entry denyHTTPsinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPsinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry denyHTTPsinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}

entry allowhttpinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}

entry allowhttpsinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}

entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}

tknv · ‎02-14-2018

Probably earlier entry blocked it. Can you share whole ACL .pol?

tknv · ‎02-13-2018

Hi Terren,

I am not certain problems, but if early permit condition contain deny condition and earlier than the deny condition, that would be permitted. Thus deny first (better all deny condition) more safer.
If yet problem, please let us share exactly which packet should be deny/permit with us.

Terren_Crider · ‎02-13-2018

Is it possible to apply an ACL to a VLAN but exclude one port?

Edit: My thought here is that the VLAN in question in my lab setup is also on the uplink port of the switch.

George_Smith1 · ‎02-13-2018

Maybe in the

entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
d eny;}
}

There is a space in the “deny” that should not be there?

Terren_Crider · ‎02-13-2018

I don't have any undue spaces in the .pol file itself.

Extreme Networks

A little ACL help

A little ACL help