This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- Re: EXOS dynamic ACL on VLAN not working.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
EXOS dynamic ACL on VLAN not working.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-19-2019 06:39 AM
Hi,
I want to permit selected subnets and deny all other subnets ingress traffic to our PBX vlan. I configured ACLs shown below. But I can still access to PBX VLAN (web pages of IP phones on PBX VLAN) from every where. What shoul be the problem?
PBX VLANs ip subnet is 10.150.101.0/24
Regards
Rahman
I want to permit selected subnets and deny all other subnets ingress traffic to our PBX vlan. I configured ACLs shown below. But I can still access to PBX VLAN (web pages of IP phones on PBX VLAN) from every where. What shoul be the problem?
PBX VLANs ip subnet is 10.150.101.0/24
Regards
Rahman
code:
create access-list santral-pbx-010 " source-address 10.242.2.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-020 " source-address 192.168.10.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-030 " source-address 192.168.1.44/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-040 " source-address 192.168.1.183/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-050 " source-address 10.50.0.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-060 " source-address 10.110.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-070 " source-address 10.120.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-080 " source-address 10.130.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-090 " source-address 10.141.26.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-100 " source-address 10.146.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-110 " source-address 10.150.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-120 " source-address 10.160.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-130 " source-address 10.111.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-deny " source-address 0.0.0.0/0 ; destination-address 10.150.101.0/24 ;" " deny ;" application "Cli"
configure access-list add santral-pbx-010 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-020 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-030 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-040 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-050 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-060 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-070 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-080 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-090 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-100 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-110 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-120 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-130 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-deny last priority 0 zone SYSTEM vlan Santral-PBX ingress
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-25-2019 03:35 PM
Hi,
I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.
You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).
On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).
Thanks,
Erik
I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.
You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).
On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).
Thanks,
Erik
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-26-2019 05:45 AM
Hi Erik,
Thanks for the suggestion, I will try it and report back if it woks.
Every example I saw on community hub and GTAC suggested to apply ACL to ingress of the VLANs. I read whole documentation of EXOS on ACLs a few time already. I think documentation needs some clarification on "which traffic is ingress to VLAN and which is egress from VLAN". It is not very clear.
When I read the documentation I understand "traffic routed to the VLAN is ingress traffic for that VLAN" and "traffic originating from VLAN and routed to other VLANs egress traffic for that VLAN".
Regards,
Rahman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-25-2019 03:35 PM
Hi,
I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.
You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).
On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).
Thanks,
Erik
I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.
You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).
On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).
Thanks,
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
09-25-2019 12:06 PM
Hi,
I just deleted all the dynamic acl rules and created a policy file: "santral-pbx.pol"
As you see I permitted some subnets and at the end denied all sources. I applied this policy to ingress of vlan "Santral-PBX":
But I can still ping and open web gui of ip phones from every where. It does not deny traffic as it should. When I look to counter statistics it shows like this:
Any idea why it does not work? Should I apply the policy file to all ports instead of VLAN?
Regards,
Rahman
I just deleted all the dynamic acl rules and created a policy file: "santral-pbx.pol"
code:
entry santralpbx-allowed-networks-01 {
if match all {
source-address 10.242.2.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-02 {
if match all {
source-address 192.168.10.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-03 {
if match all {
source-address 192.168.1.44/32;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-04 {
if match all {
source-address 192.168.1.183/32;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-05 {
if match all {
source-address 10.50.0.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-06 {
if match all {
source-address 10.110.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-07 {
if match all {
source-address 10.120.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-08 {
if match all {
source-address 10.130.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-09 {
if match all {
source-address 10.141.26.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-10 {
if match all {
source-address 10.146.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-11 {
if match all {
source-address 10.150.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-12 {
if match all {
source-address 10.160.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-allowed-networks-13 {
if match all {
source-address 10.111.101.0/24;
destination-address 10.150.101.0/24;
} then {
permit;
count santralpbx-permit-count;
}
}
entry santralpbx-deny-all {
if {
source-address 0.0.0.0/0;
destination-address 10.150.101.0/24;
} then {
deny;
count santralpbx-deny-count;
}
}
As you see I permitted some subnets and at the end denied all sources. I applied this policy to ingress of vlan "Santral-PBX":
code:
configure access-list santral-pbx vlan "Santral-PBX" ingress
But I can still ping and open web gui of ip phones from every where. It does not deny traffic as it should. When I look to counter statistics it shows like this:
code:
SAVSAT-METRO.3 # show access-list counter ingress
Policy Name Vlan Name Port Direction
Counter Name Packet Count Byte Count
==================================================================
santral-pbx Santral-PBX * ingress
santralpbx-deny-count 0
santralpbx-permit-count 11431
Any idea why it does not work? Should I apply the policy file to all ports instead of VLAN?
Regards,
Rahman
