This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: A little ACL help
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
A little ACL help
A little ACL help
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-13-2018 10:00 PM
I'm developing an ACL to allow guest use of certian resources on my network. In the end, the guest network will be its own subnet. So, I want to apply this ACL at the VLAN level. I've got the ACL working at the port level, but when I apply it to the VLAN nothing works...
Where might I be messing this up?
entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}
entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}
entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
deny;}
}
entry denyswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
} then {
deny;}
}
entry denylocalssh {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry sshmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}
entry allowdhcp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 67-68;
} then {
permit;}
}
entry allowdns {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}
entry allowntp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}
entry allowvncmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}
entry allowwinlogon {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port > 1024;
destination-address 10.0.66.220/32;
} then {
permit;}
}
#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}
#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}
#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}
entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPsinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPsinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPsinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry allowhttpinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}
entry allowhttpsinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}
entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}
Where might I be messing this up?
entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}
entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}
entry denyswitch {
if {
destination-address 10.0.99.200/32;
source-address 10.0.99.0/24;
} then {
deny;}
}
entry denyswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
} then {
deny;}
}
entry denylocalssh {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry sshmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}
entry allowdhcp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 67-68;
} then {
permit;}
}
entry allowdns {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}
entry allowntp {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}
entry allowvncmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}
entry allowwinlogon {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port > 1024;
destination-address 10.0.66.220/32;
} then {
permit;}
}
#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}
#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}
#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}
entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPsinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPsinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPsinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry allowhttpinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}
entry allowhttpsinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}
entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}
10 REPLIES 10
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-14-2018 04:11 PM
I have it working now. I'm still not sure what was getting blocked, but I added an entry to allow bidirectional traffic to my VLAN.
entry allowbidirectional {
if {
destination-address 10.0.99.0/24;
} then {
permit;}
}
This was added as the second to last entry, right above the denyall rule.
Edit: I also changed the order of some things. Like allowing DNS, DHCP, NTP at the top rather than in the middle.
entry allowbidirectional {
if {
destination-address 10.0.99.0/24;
} then {
permit;}
}
This was added as the second to last entry, right above the denyall rule.
Edit: I also changed the order of some things. Like allowing DNS, DHCP, NTP at the top rather than in the middle.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-14-2018 04:11 PM
Thank you very much. I think a packet (to/from 10.0.0.0/8) is not match below should be permit. entry denylocalSSH { if { source-address 10.0.99.0/24; protocol tcp; destination-port 22; } then { deny;} } entry denyHTTPswitch { if { source-address 10.0.99.0/24; destination-address 10.0.99.200/32; protocol tcp; destination-port 80; } then { deny;} } entry denyHTTPswitch2 { if { source-address 10.0.99.0/24; destination-address 10.0.99.254/32; protocol tcp; destination-port 80; } then { deny;} } entry denyICMP { if { source-address 10.0.99.0/24; protocol icmp; } then { deny;} } entry denyHTTPinternal10 { if { destination-address 10.0.0.0/8; protocol tcp; destination-port 80; } then { deny;} } entry denyHTTPSinternal10 { if { destination-address 10.0.0.0/8; protocol tcp; destination-port 443; } then { deny;} } Please let me know if my understanding is wrong.
Can you share the packet that should be permitted but denied?
Can you share the packet that should be permitted but denied?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-14-2018 04:11 PM
Here's the current working ACL. Without the second to last entry "allowbidirectional" it does not work.
entry allowDHCP {
if {
source-address 0.0.0.0/0;
pr otocol udp;
destination-port 67-68;
} then {
permit;}
}
entry allowDNS {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}
entry allowNTP {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}
entry allowVNCmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}
entry denylocalSSH {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry SSHmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
permit;}
}
entry allowNetSightin {
if {
source-address 10.0.200.216/32;
destination-address 10.0.99.200/32;
} then {
permit;}
}
entry allowNetSightout {
if {
source-address 10.0.99.200/32;
destination-address 10.0.200.216/32;
} then {
permit;}
}
entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}
entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}
entry denyHTTPswitch {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.200/32;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}
entry denyICMP {
if {
source-address 10.0.99.0/24;
protocol icmp;
} then {
deny;}
}
#entry allowwinlogon {
# if {
# source-address 10.0.99.0/24;
# protocol tcp;
# destination-port > 1024;
# destination-address 10.0.66.220/32;
# } then {
# permit;}
#}
#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}
#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}
#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}
entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPSinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPSinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPSinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry allowHTTPinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}
entry allowHTTPSinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}
entry allowbidirectional {
if {
destination-address 10.0.99.0/24;
} then {
permit;}
}
entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}
entry allowDHCP {
if {
source-address 0.0.0.0/0;
pr otocol udp;
destination-port 67-68;
} then {
permit;}
}
entry allowDNS {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 53;
} then {
permit;}
}
entry allowNTP {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 123;
} then {
permit;}
}
entry allowVNCmgmt {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port 5900-5910;
} then {
permit;}
}
entry denylocalSSH {
if {
source-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
deny;}
}
entry SSHmgmt {
if {
destination-address 10.0.99.0/24;
protocol tcp;
destination-port 22;
} then {
permit;}
}
entry allowNetSightin {
if {
source-address 10.0.200.216/32;
destination-address 10.0.99.200/32;
} then {
permit;}
}
entry allowNetSightout {
if {
source-address 10.0.99.200/32;
destination-address 10.0.200.216/32;
} then {
permit;}
}
entry allowswitchcom {
if {
source-address 10.0.99.200/32;
} then {
permit;}
}
entry allowswitchcom2 {
if {
source-address 10.0.99.254/32;
} then {
permit;}
}
entry denyHTTPswitch {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.200/32;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPswitch2 {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.254/32;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry allowmakerlab {
if {
source-address 10.0.99.0/24;
destination-address 10.0.99.0/24;
} then {
permit;}
}
entry denyICMP {
if {
source-address 10.0.99.0/24;
protocol icmp;
} then {
deny;}
}
#entry allowwinlogon {
# if {
# source-address 10.0.99.0/24;
# protocol tcp;
# destination-port > 1024;
# destination-address 10.0.66.220/32;
# } then {
# permit;}
#}
#entry allowprint515 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 515;
# } then {
# permit;}
#}
#entry allowprint631 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 631;
# } then {
# permit;}
#}
#entry allowprint9100 {
# if {
# destination-address *printerIP/32;
# protocol tcp;
# destination-port 9100;
# } then {
# permit;}
#}
entry denyHTTPinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 80;
} then {
deny;}
}
entry denyHTTPSinternal10 {
if {
destination-address 10.0.0.0/8;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPSinternal192 {
if {
destination-address 192.168.0.0/16;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry denyHTTPSinternal172 {
if {
destination-address 172.16.0.0/12;
protocol tcp;
destination-port 443;
} then {
deny;}
}
entry allowHTTPinternet {
if {
protocol tcp;
destination-port 80;
} then {
permit;}
}
entry allowHTTPSinternet {
if {
protocol tcp;
destination-port 443;
} then {
permit;}
}
entry allowbidirectional {
if {
destination-address 10.0.99.0/24;
} then {
permit;}
}
entry denyall {
if {
source-address 0.0.0.0/0;
} then {
deny;}
}
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
02-14-2018 04:11 PM
not sure if it applied here, but the difference when using VLAN for ACL is that it applies only to traffic entering the VLAN (not exiting it).
