This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Control plane ACL in EXOS

Control plane ACL in EXOS

Paul_Thornton
New Contributor III

‎11-21-2015 09:09 AM

Those on here who know me will know that this is something I bring up around once a year; I thought that this time, I'd put it on here to see if we can gather some crowd-support rather than raise another TAC case that goes nowhere.

Extreme is the only serious vendor (and I'm taking them alongside the likes of Cisco, Juniper, Brocade, etc. here) that don't have a decent way to protect the switch control plane (CPU) during normal operation.

Yes, there's all of the 'dos-protect' pps stuff, and that's great at what it does; but that doesn't stop random packets hitting the CPU's bgp, ospf, ssh, snmp etc. processes. The CPU then has to apply its (software) ACL to reject/ignore the connection.

What is missing is that there isn't a way to manually create a 'controlplane.pol' which is applied between the dataplane and CPU, to specifically allow to the CPU and discard everything else. Yes, you need to know what you are doing when creating this policy or you'll break routing protocols etc. That same caveat applies with any vendor.
As a result, anyone using Extreme kit in a service provider environment has devices that are vulnerable to background low-rate attacks from the Internet which do (I have several TAC cases to prove it) cause random kernel panics and/or reboots, and are not seen by dos-protect as they aren't a high pps attack on the switch.

The work around, such that it is, involves building complex ingress port policy files that allow downstream/upstream traffic through the switch but block traffic destined to it - and when you have a switch that's acting as an edge router with maybe 40 IP addresses (v6 and v4), this becomes a support nightmare for day-to-day operations.

I don't think there is a hardware reason why this can't be achieved - the CPU is in essence a logical port on the data plane, but even if the underlying hardware can't do this then surely implementing pf or some other generic Linux firewall in the EXOS kernel would be better than what we have today.

Unfortunately, it seems that Extreme no longer really care about service provider customers - as things like this and other bugs which are specifically painful to the SP community remain un-addressed for years, despite TAC cases and regular polite (and sometimes not so polite) reminders.

Does anyone else agree - or am I the one person in the community who thinks this is an issue?

Paul.

5 REPLIES 5

BrandonC
Extreme Employee

‎11-21-2015 03:38 PM

Hi Paul,

Have you looked at the 'deny-cpu' ACL action? This looks to do exactly what you are wanting to do, although it looks like there is not a corresponding 'permit-cpu' action to override it, so that you can explicitly permit what you want to hit CPU, then have a catch all entry to match everything else and deny.
'copy-cpu-off' also may be worth a test. You can find more detail on these in the ACL section of the EXOS User Guide.

-Brandon
0 Kudos
GTM-P2G8KFN