This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 

Forward nothing but use Bootprelay

Forward nothing but use Bootprelay

Robert_Heydenbl
New Contributor II

ā€Ž07-29-2021 09:56 AM

Hi Community,

I have a customer who uses xos-switches exclusively for L2 connectivity. The network is segmentet and the central routing instance is the firewall.
This firewall only supports one IP-Helper-address. This address is already in use for a DHCP-Server.

I would like to create another bootprelay on a extreme device to relay the dhcp packets to the pxe-server, too. But sadly, I need to enable ipforwarding on both vlans to get bootprelay running. As this could be used to bypass the central firewall, it is not allowed for security reasons.

So, what I would like to do is to define a Accesslist, which only permits the bootprelay packets to get forwarded on L3 while all other traffic may be forwarded on L2 but not on L3 (as this has to happen on the firewall)

If there is another way to realize, what i am planning, I would be interested, too!

Any Ideas on this?

Best Regards, 
Robert 

0 Kudos
2 REPLIES 2

Tomasz
Valued Contributor II

ā€Ž07-30-2021 06:26 PM

Hi Robert,

 

as long as users have the firewall as the default GW and are not allowed to manually call EXOS for any remote destination forwarding, it should be good. Of course, EXOS IP must not be allowed to be set as the gateway at all cost.

ACL might be tricky. I donā€™t see an ACL option to pick ā€˜routed packetsā€™ for filtering. Perhaps packets destined towards switchā€™s MAC address should be denied. But then, management traffic to it will be impaired. Two+ entries are needed then:

  • if destination IP: the switch IP/32, protocol: tcp and destination-port: 22, then permit
  • if destination MAC: the switch, then deny

I think this might work.

Mgmt traffic from within the mgmt subnet will have both MAC and IP accurately pointing the switch. The rule has to be IP-based to not allow routing of mgmt protocols through the switch.

If itā€™s SSH it will be allowed because of the first rule (just an example for one mgmt protocol).

If itā€™s something else, like Telnet to the switch, it wonā€™t be allowed.

If itā€™s something the switch would be asked to route, the packet would contain remote IP and switch MAC. First rule wouldnā€™t apply so the second would be matched and packet should get denied.

Caveat is, any to-the-switch protocols must be allowed explicitly.

Just a quick food for thoughts.

 

Hope that helps,

Tomasz

0 Kudos

Stefan_K_
Valued Contributor

ā€Ž07-29-2021 10:37 AM

Install a Linux-Machine with DHCP Relay installed and relay from the firewall to this Linux-Machine and from there to the DHCP and PXE.

Not nice, but should work. 9843bc43e9c247a984aeaef55caa2708_1f601.png

0 Kudos
GTM-P2G8KFN