cancel
Showing results for 
Search instead for 
Did you mean: 

EXOS dynamic ACL on VLAN not working.

EXOS dynamic ACL on VLAN not working.

Rahman_Duran
Contributor II
Hi,

I want to permit selected subnets and deny all other subnets ingress traffic to our PBX vlan. I configured ACLs shown below. But I can still access to PBX VLAN (web pages of IP phones on PBX VLAN) from every where. What shoul be the problem?

PBX VLANs ip subnet is 10.150.101.0/24

Regards

Rahman

code:
create access-list santral-pbx-010 " source-address 10.242.2.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-020 " source-address 192.168.10.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-030 " source-address 192.168.1.44/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-040 " source-address 192.168.1.183/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-050 " source-address 10.50.0.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-060 " source-address 10.110.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-070 " source-address 10.120.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-080 " source-address 10.130.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-090 " source-address 10.141.26.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-100 " source-address 10.146.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-110 " source-address 10.150.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-120 " source-address 10.160.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-130 " source-address 10.111.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-deny " source-address 0.0.0.0/0 ; destination-address 10.150.101.0/24 ;" " deny ;" application "Cli"



configure access-list add santral-pbx-010 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-020 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-030 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-040 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-050 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-060 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-070 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-080 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-090 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-100 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-110 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-120 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-130 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-deny last priority 0 zone SYSTEM vlan Santral-PBX ingress
1 ACCEPTED SOLUTION

Erik_Auerswald
Contributor II
Hi,

I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.

You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).

On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).

Thanks,
Erik

View solution in original post

7 REPLIES 7

bcyrus
New Contributor

OMGOMG I feel as confused as possible coming from Cisco. Ingress/Egress rattle my thinking and blocks me from the correct command syntax.

FredrikB
Contributor II
"I still think EXOS documentation needs more polishing and more examples about the routed traffic directions about VLANs."

I agree. Either more real-world examples in the user guide or a reference to a collection of such examples on the web would be very helpful. Sadly, this seems to be a hard nut for Extreme to crack, probably due to unwillingness to put out examples that may break in future releases, ending up in support cases where customers want this or that example to work in their environment. I guess that's what this forum is supposed to address to some extent.

Rahman_Duran
Contributor II
Hi,

@Erik Auerswald @FredrikB thank you both for your helps. Applying the ACL to the egress of the PBX VLAN solved the issue.

I still think EXOS documentation needs more polishing and more examples about the routed traffic directions about VLANs.

Regards,

Rahman

FredrikB
Contributor II
Ingress and egress can be confusing, especially with VLANs. Ingress to a VLAN means packets coming in on a port that is a member of that VLAN, tagged or not. I honestly don't know if a packet that is being routed from another VLAN and then passes a certain VLAN is actually considered as ingressing that VLAN, but I don't think so as it is actually rather egressing the port and hence it is considered egressing the VLAN.

It should be fairly simple to find out by applying your policy on ingress on some other VLAN that is supposed to be blocked by the policy.

/Fredrik
GTM-P2G8KFN