This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

ACL

ACL

T_Pitch
New Contributor III

‎09-27-2018 03:31 PM

We don't allow non-company owned assets from connecting to our network, but have a need to allow a vendor to connect to our network for the purpose of managing our phone system. When we had our Cisco switches, I would allow access to that subnet but then block all RFC1819 addresses. I'm having trouble doing that with our new Summit switches.

I used the following as a guide to build my configuration as such.
https://extremeportal.force.com/ExtrArticleDetail?an=000061806

entry PermitVendor {
if match all {
destination-address 192.168.100.0/24 ;
}
then {
permit ;
}
}
entry DenyRFC1817 {
if match any {
destination-address 192.168.0.0/16 ;
destination-address 172.16.0.0/12 ;
destination-address 10.0.0.0/8 ;
}
then {
deny ;
}
}

This policy doesn't work- there are 2 issues.

First, this policy doesn't pass muster because it has multiple destination-address statement. How can I use as few lines of code to achieve my goals of denying all private address communications.

Secondly, if I tell it to block 192.168.0.0/16 my permit policy from above doesn't work. It works if I deny to 192.168.200.0/24- I can only assume that I'm permitting the 192.168.100.0/24 but then immediately denying it with the 192.168.0.0/16...

Third, I didn't outline here but I need them to get to the Internet which means they need to use my internal DNS. So I need to create another rule that will allow port 53 traffic to my DNS hosts.

Thanks!

0 Kudos
2 REPLIES 2

T_Pitch
New Contributor III

‎09-27-2018 05:39 PM

Ok, I suspected as much. I've done this but noticed a few things. I can still ping devices on my 192.168.1.0/24 subnet and somehow DNS is still working while it is looking to servers in the 192.168.1.x subnet.

I've confirmed I can't get pull up web pages or even RDP into devices on the 192.168.1.x subnet. Why do some things seem to work without an implicit allow? I'd prefer nothing work without a deny.

I'm applying the this ACL to a specific port as an ingress (I also tried as egress just for the fun of it).

Side note (should anyone else come after me), I found this useful: https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/Python/IOStoPolicy

Thanks.
0 Kudos

BrandonC
Extreme Employee

‎09-27-2018 03:55 PM

For your first question, you'll need to split all the RFC 1918 subnets into separate entries. For example:
entry PermitVendor { if { destination-address 192.168.100.0/24 ; } then { permit ; } } entry Deny192{ if { destination-address 192.168.0.0/16 ; } then { deny ; } } entry Deny172{ if { destination-address 172.16.0.0/12 ; } then { deny ; } } entry Deny10{ if { destination-address 10.0.0.0/8 ; } then { deny ; } }
For your second question, it should work as long as you have the more specific permit before more general deny. The third point is the same, just make sure the port 53 permit is before the denies.

0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN