cancel
Showing results for 
Search instead for 
Did you mean: 

VSP and ACL's (and some XMC)

VSP and ACL's (and some XMC)

XTRMUser
Contributor
First time poster. A few questions, but related. All VSP's are running VOSS 8.4.3.0

1. I'm trying to limit access to the some ERS switch IP addresses using ACL's. The switches IP addresses are in a VLan. So far, I have IP's of permitted users (network admins), IP's of XMC/NAC servers, deny everybody else. Because these switches have EAP enabled ports, I think I also need to permit IP's of DHCP servers. We are a Windows shop, so do I also need IP's of Active domain controllers/DNS servers?

2. I'm also trying to limit access to VSP switches, also using ACL's. These have CLIP addresses, and are not part of a VLan. Here are the first few lines of a regular inVlan ACL (in docs that I have seen so far).

filter acl 10 type invlan name "Limit access to VSP"
filter acl vlan 10 <vlan number>
filter acl ace 10 10 ...

Since the CLIP addresses are not part of a VLan, should I skip the 2nd line? Or leave it in with a dummy vlan number?

3. Finally, is there some good documentation on VOSS ACL's? I'm aware of https://download.avaya.com/css/public/documents/101008810, but wondering if there is an updated version? Or is there an Extreme/other course about this?

Thanks for any help.
8 REPLIES 8

Ludovico_Steven
Extreme Employee
Yes, I also tested it. So, thinking about this again, if the access-policy "http" protocol allows or denies both of http & https at the same time, then this means that it does actually work for https. So the question now is whether there is any value in using access-policies to allow some users to access the web interface with HTTP and other users with HTTPS. And I don't quite see a use case for that. You probably want allow http/https, as you can do today, and then simply set the web-server to only operate with HTTPS. Why change the existing behaviour ?
Note that RESTCONF is using a different HTTP stack internally, hence the use of a different 8080 port number. So we would probably simply add "restconf" as another option under access-policies.

XTRMUser
Contributor
It appears (with early limited testing) that blocking HTTPS is done with HTTP. In other words, by denying/permitting HTTP, HTTPS is also denied/permitted. But it would be nice to have it explicitly shown.

Ludovico_Steven
Extreme Employee
Raised with product management the fact that we are missing https in access-policies at the moment. As this is an easy change, it looks like this will be added in a future release.

XTRMUser
Contributor
Did some digging and experimentation. access-policy will do great, except...

There are 5 services/ports that a VSP switch has open (according to nmap). 4 of them are listed in the access-policy to permit/deny. The missing one is https. So to limit access to a VSP switch, when I can't stop https:, is lacking. The only VSP commands I see are:

web-server enable
no web-server secure-only

We can limit http using access-policy, but not https. The only option is to disable web-server totally, but it is nice to use EDM, which requires web-server 🙂

Any thoughts???

Thanks.
GTM-P2G8KFN