cancel
Showing results for 
Search instead for 
Did you mean: 

ACL conversion sanity check please.

ACL conversion sanity check please.

Ron_Prague
New Contributor II
I'm new to Extreme core switches, I've used their edge products for years but usually in one off iSCSI deployments or more recently for limited AVB deployments.

We're replacing our HP Procurve cores with 8810s and I 'd like someone to take a quick look at this ACL I'm converting and point out anything I'm missing, this is my first time dealing with Extreme's ACL usage.

We have a learning center that needs access to internal DNS, KMS and then access to the internet, while blocking access to all other internal corporate resources.

Here's the HP ACL:
ip access-list extended "100"
10 permit tcp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 eq 1688 10 remark "Allow LC to KMS server on DC2" 20 permit tcp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 20 remark "Allow LC to tcp DNS on DC1" 30 permit udp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 30 remark "Allow LC to udp DNS on DC1" 40 permit icmp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 40 remark "Allow ping to DC2 LC" 50 permit icmp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 50 remark "Allow ping to DC1 from LC" 60 permit ip 172.17.0.0 0.0.255.255 172.16.0.249 0.0.0.0 60 remark "Allow LC to Fortigate internal" 80 deny ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255 80 remark "Block LC from local corp network" 90 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255 90 remark "Block LC from remote corp networks" 110 permit ip 172.17.0.0 0.0.255.255 0.0.0.0 255.255.255.255 110 remark "Allow LC out to the internet" exit
and here's the Extreme version, which is think is right:

entry permit_ICMP_dc1 { if match all { source-address 172.17.0.0/16; protocol ICMP; destination-address 172.16.5.55/32; } then { permit; } } entry permit_ICMP_dc2 { if match all { source-address 172.17.0.0/16; protocol ICMP; destination-address 172.16.5.40/32; } then { permit; } } entry permit_TCPDNS_dc1 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.55/32; destination-port 53; } then { permit; } } entry permit_TCPDNS_dc2 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.40/32; destination-port 53; } then { permit; } } entry permit_UDPDNS_dc1 { if match all { source-address 172.17.0.0/16; protocol UDP; destination-address 172.16.5.55/32; destination-port 53; } then { permit; } } entry permit_UDPDNS_dc2 { if match all { source-address 172.17.0.0/16; protocol UDP; destination-address 172.16.5.40/32; destination-port 53; } then { permit; } } entry permit_KMS_dc2 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.40/32; destination-port 1688; } then { permit; } } entry permit_IP_FG600C { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 172.16.0.249/32; } then { permit; } } entry deny_LC_localcorp { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 172.16.0.0/16; } then { deny; } } entry deny_LC_remotecorp { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 10.0.0.0/8; } then { deny; } } entry permit_LC_internet { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 0.0.0.0/0; } then { permit; } }
Did I miss anything? Will this work ok?

Thanks!
9 REPLIES 9

Ron_Prague
New Contributor II
There's an entry in the middle that denies all traffic from 172.17.0.0/16 to 172.16.0.0/16, except for the rules we matched earlier (DNS, ICMP and KMS)

entry deny_LC_localcorp { if match all { source-address 172.17.0.0/16; destination-address 172.16.0.0/16; } then { deny; } }

Andrew_Maldonad
Extreme Employee
Ron,

"IP" is an invalid protocol match condition. Once removing protocol IP as a match condition from the last 4 entries the policy check cleared.

After creating the policy file the "check policy " command can be used to verify the syntax is correct.

Please let me know if there are any questions or concerns.

Andrew

Thanks Andrew, I found that out about an hour after I posted this by using the check policy command.

Paul_Russo
Extreme Employee
Hey Ron

At first pass I would say you got it all right. One suggestion I would make is to add a counter to each ACL statement so that you can see if traffic is hitting it. It is good for troubleshooting the policy. Just add count ;

Also remember that we look at ACLs on Ingress by default so when you assign this policy remember that to make sure your traffic pattern is in the direction of the Source/Destinatin IP or Port number. Lastly we have an implicit permit so if you do not deny we will forward.

Let us know how it goes.

P

This is how the ACL is applied (on both core switches):
configure access-list learningcenter vlan "LC" ingress

One more thing, the final statement:
entry permit_LC_internet { if match all { source-address 172.17.0.0/16; destination-address 0.0.0.0/0; } then { permit; } }
Isn't necessary then because there is an implicit permit at the end of the ACL?

Extreme ACLs are still done top-down processing I assume?
GTM-P2G8KFN