Extreme Networks

Moathsaed · ‎04-07-2021

Hi teams

can you write command on extreme to do same bellow command

ip access-list extended 100
10 deny ip 192.168.6.0 0.0.0.255 192.168.2.0 0.0.0.255
11 deny ip 192.168.6.0 0.0.0.255 192.168.5.0 0.0.0.255

12 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

int eth 49
ip access-group 100 out

Tomasz · ‎04-08-2021

Btw I was recently thinking about different ways to provide local subnets isolation (besides Policy or port isolation that can be done on an access switch, but the router is the one to isolate between vlans). I have enumerated few ways to achieve this. I’m curious to know other people’s point of view on this, let’s keep it without a new topic as I don’t think it’s needed.

Scenario: 1, 10, 100 subnets with employees of different departments and devices of different purposes, separated with VLANs; they are supposed to reach the Internet and/or DC and/or printers VLAN but not to communicate internally with other departments, CCTV VLAN or else. Least-privilege (zero trust?) approach is to be applied.

Possible solutions IMHO:

ACL with explicit dst rules for each IP subnets that are to be denied applied to these “user” VLANs (ACL permits a packet if not matched any entry so Internet would be reachable) - this approach requires lots of entries in bigger scale network, even worse if we’d like to build explicit src+dst pairs of matching criteria;
ACL with destination-zone as a criteria instead of destination-address - just one entry (which is then split by EXOS when implementing in hardware), zones (sets of address/mask) are defined manually thru CLI - much simpler; in both approaches we don’t have to differentiate banned destinations for each local subnet, it can be the same ACL file for each concerned VLAN because we don’t care if the router blocks traffic from/to the same network (as it is going to work without router’s participation in the traffic path anyway);
ACL with single destination address deny but with shorter netmask - a trick possible if local subnets are consistently addressed; again, applied on local vlans (not entire switch; to apply any of these to the entire switch and let the DC or anything else be able to reach local subnets, we’d have to apply explicit permit on those service vlans - then vlan-based ACL has higher precedence than switch-wide ACL);
VLAN Isolation - didn’t play with this one yet but it’s told to be an equivalent of port isolation at a VLAN level on a gateway;

Which approach would you guys recommend on a router? One of these or something else? Or dropping inter-subnet traffic between employee departments right away on the access switch with Policy (simplest case would be to create an Automated Service I think, but needs to be different for each department to not block host’s own subnet communication if we need it for any reason)?

Thanks,

Tomasz

View solution in original post

Tomasz · ‎04-08-2021

Btw I was recently thinking about different ways to provide local subnets isolation (besides Policy or port isolation that can be done on an access switch, but the router is the one to isolate between vlans). I have enumerated few ways to achieve this. I’m curious to know other people’s point of view on this, let’s keep it without a new topic as I don’t think it’s needed.

Scenario: 1, 10, 100 subnets with employees of different departments and devices of different purposes, separated with VLANs; they are supposed to reach the Internet and/or DC and/or printers VLAN but not to communicate internally with other departments, CCTV VLAN or else. Least-privilege (zero trust?) approach is to be applied.

Possible solutions IMHO:

ACL with explicit dst rules for each IP subnets that are to be denied applied to these “user” VLANs (ACL permits a packet if not matched any entry so Internet would be reachable) - this approach requires lots of entries in bigger scale network, even worse if we’d like to build explicit src+dst pairs of matching criteria;
ACL with destination-zone as a criteria instead of destination-address - just one entry (which is then split by EXOS when implementing in hardware), zones (sets of address/mask) are defined manually thru CLI - much simpler; in both approaches we don’t have to differentiate banned destinations for each local subnet, it can be the same ACL file for each concerned VLAN because we don’t care if the router blocks traffic from/to the same network (as it is going to work without router’s participation in the traffic path anyway);
ACL with single destination address deny but with shorter netmask - a trick possible if local subnets are consistently addressed; again, applied on local vlans (not entire switch; to apply any of these to the entire switch and let the DC or anything else be able to reach local subnets, we’d have to apply explicit permit on those service vlans - then vlan-based ACL has higher precedence than switch-wide ACL);
VLAN Isolation - didn’t play with this one yet but it’s told to be an equivalent of port isolation at a VLAN level on a gateway;

Which approach would you guys recommend on a router? One of these or something else? Or dropping inter-subnet traffic between employee departments right away on the access switch with Policy (simplest case would be to create an Automated Service I think, but needs to be different for each department to not block host’s own subnet communication if we need it for any reason)?

Thanks,

Tomasz

Tomasz · ‎04-08-2021

Hi,

You’ll have to put that whole input (entry {...}) into a .pol file. Either on your computer and then upload to the switch, or edit locally on the switch by doing “edit policy ACL-NAME” according to Stefan’s syntax to apply that ACL. This built-in editor is Vim like in Linux machines, so to start typing you have to press ‘a’ or ‘i’, and when you’re done you should press [esc] and ‘:wq’ to write and quit the editor.

Hope that helps,

Tomasz

Moathsaed · ‎04-08-2021

Thank you for reply and help

I tried but this command not support on the switch coming message

entry one {

Invalid input detected

Stefan_K_ · ‎04-08-2021

Hi,

maybe this article would help you: https://extremeportal.force.com/ExtrArticleDetail?an=000083345&q=ACL

Your ACL needs to look something like this:

entry one {
    if match all { 
        source-address 192.168.6.0/24;
        destination-address 192.168.2.0/24;
    } then {
        deny;
    }
}

entry two {
    if match all { 
        source-address 192.168.6.0/24;
        destination-address 192.168.5.0/24;
    } then {
        deny;
    }
}

(Traffic that doesn’t match a rule is allowed)

Then you need to apply this ACL to an port or VLAN, for example:

configure access-list ACL-NAME port 49 ingress

or

configure access-list ACL-NAME vlan YOURVLAN ingress

Some more information about ACLs:

ACL section in the EXOS User Guide
some examples: https://www.analysisman.com/2018/03/extreme-switch-how-to-create-acl-in-exos.html

Extreme Networks

ACLs Extended Deny subnet to access other subnet and allow others

ACLs Extended Deny subnet to access other subnet and allow others