Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-19-2019 06:39 AM
Hi,
I want to permit selected subnets and deny all other subnets ingress traffic to our PBX vlan. I configured ACLs shown below. But I can still access to PBX VLAN (web pages of IP phones on PBX VLAN) from every where. What shoul be the problem?
PBX VLANs ip subnet is 10.150.101.0/24
Regards
Rahman
I want to permit selected subnets and deny all other subnets ingress traffic to our PBX vlan. I configured ACLs shown below. But I can still access to PBX VLAN (web pages of IP phones on PBX VLAN) from every where. What shoul be the problem?
PBX VLANs ip subnet is 10.150.101.0/24
Regards
Rahman
code:
create access-list santral-pbx-010 " source-address 10.242.2.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-020 " source-address 192.168.10.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-030 " source-address 192.168.1.44/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-040 " source-address 192.168.1.183/32 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-050 " source-address 10.50.0.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-060 " source-address 10.110.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-070 " source-address 10.120.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-080 " source-address 10.130.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-090 " source-address 10.141.26.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-100 " source-address 10.146.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-110 " source-address 10.150.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-120 " source-address 10.160.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-130 " source-address 10.111.101.0/24 ; destination-address 10.150.101.0/24 ;" " permit ;" application "Cli"
create access-list santral-pbx-deny " source-address 0.0.0.0/0 ; destination-address 10.150.101.0/24 ;" " deny ;" application "Cli"
configure access-list add santral-pbx-010 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-020 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-030 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-040 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-050 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-060 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-070 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-080 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-090 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-100 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-110 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-120 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-130 last priority 0 zone SYSTEM vlan Santral-PBX ingress
configure access-list add santral-pbx-deny last priority 0 zone SYSTEM vlan Santral-PBX ingress
Solved! Go to Solution.
1 ACCEPTED SOLUTION
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-25-2019 03:35 PM
Hi,
I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.
You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).
On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).
Thanks,
Erik
I have not read the ACL exactly, but I think you control the traffic that would be routed to the PBX VLAN in the ACL, but then apply it inbound on the PBX VLAN itself. Thus the ACL does not see the traffic going to the PBX, but it sees traffic sent from the PBX.
You would need to apply an ACL controlling access from outside to the PBX VLAN outbound on the PBX VLAN (egress direction).
On EXOS, ACLs are applied to the physical port, not to the logical routing function (Switched Virtual Interface) as in other implementations (e.g., ExtremeEOS).
Thanks,
Erik
7 REPLIES 7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎10-01-2021 03:55 PM
OMGOMG I feel as confused as possible coming from Cisco. Ingress/Egress rattle my thinking and blocks me from the correct command syntax.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-27-2019 06:39 AM
"I still think EXOS documentation needs more polishing and more examples about the routed traffic directions about VLANs."
I agree. Either more real-world examples in the user guide or a reference to a collection of such examples on the web would be very helpful. Sadly, this seems to be a hard nut for Extreme to crack, probably due to unwillingness to put out examples that may break in future releases, ending up in support cases where customers want this or that example to work in their environment. I guess that's what this forum is supposed to address to some extent.
I agree. Either more real-world examples in the user guide or a reference to a collection of such examples on the web would be very helpful. Sadly, this seems to be a hard nut for Extreme to crack, probably due to unwillingness to put out examples that may break in future releases, ending up in support cases where customers want this or that example to work in their environment. I guess that's what this forum is supposed to address to some extent.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-27-2019 06:17 AM
Hi,
@Erik Auerswald @FredrikB thank you both for your helps. Applying the ACL to the egress of the PBX VLAN solved the issue.
I still think EXOS documentation needs more polishing and more examples about the routed traffic directions about VLANs.
Regards,
Rahman
I still think EXOS documentation needs more polishing and more examples about the routed traffic directions about VLANs.
Regards,
Rahman
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎09-26-2019 12:29 PM
Ingress and egress can be confusing, especially with VLANs. Ingress to a VLAN means packets coming in on a port that is a member of that VLAN, tagged or not. I honestly don't know if a packet that is being routed from another VLAN and then passes a certain VLAN is actually considered as ingressing that VLAN, but I don't think so as it is actually rather egressing the port and hence it is considered egressing the VLAN.
It should be fairly simple to find out by applying your policy on ingress on some other VLAN that is supposed to be blocked by the policy.
/Fredrik
It should be fairly simple to find out by applying your policy on ingress on some other VLAN that is supposed to be blocked by the policy.
/Fredrik
