This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (VSP/Fabric Engine)
- Re: VSP and ACL's (and some XMC)
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
VSP and ACL's (and some XMC)
VSP and ACL's (and some XMC)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
04-12-2022 10:34 AM
First time poster. A few questions, but related. All VSP's are running VOSS 8.4.3.0
1. I'm trying to limit access to the some ERS switch IP addresses using ACL's. The switches IP addresses are in a VLan. So far, I have IP's of permitted users (network admins), IP's of XMC/NAC servers, deny everybody else. Because these switches have EAP enabled ports, I think I also need to permit IP's of DHCP servers. We are a Windows shop, so do I also need IP's of Active domain controllers/DNS servers?
2. I'm also trying to limit access to VSP switches, also using ACL's. These have CLIP addresses, and are not part of a VLan. Here are the first few lines of a regular inVlan ACL (in docs that I have seen so far).
filter acl 10 type invlan name "Limit access to VSP"
filter acl vlan 10 <vlan number>
filter acl ace 10 10 ...
Since the CLIP addresses are not part of a VLan, should I skip the 2nd line? Or leave it in with a dummy vlan number?
3. Finally, is there some good documentation on VOSS ACL's? I'm aware of https://download.avaya.com/css/public/documents/101008810, but wondering if there is an updated version? Or is there an Extreme/other course about this?
Thanks for any help.
1. I'm trying to limit access to the some ERS switch IP addresses using ACL's. The switches IP addresses are in a VLan. So far, I have IP's of permitted users (network admins), IP's of XMC/NAC servers, deny everybody else. Because these switches have EAP enabled ports, I think I also need to permit IP's of DHCP servers. We are a Windows shop, so do I also need IP's of Active domain controllers/DNS servers?
2. I'm also trying to limit access to VSP switches, also using ACL's. These have CLIP addresses, and are not part of a VLan. Here are the first few lines of a regular inVlan ACL (in docs that I have seen so far).
filter acl 10 type invlan name "Limit access to VSP"
filter acl vlan 10 <vlan number>
filter acl ace 10 10 ...
Since the CLIP addresses are not part of a VLan, should I skip the 2nd line? Or leave it in with a dummy vlan number?
3. Finally, is there some good documentation on VOSS ACL's? I'm aware of https://download.avaya.com/css/public/documents/101008810, but wondering if there is an updated version? Or is there an Extreme/other course about this?
Thanks for any help.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-13-2022 03:06 AM
Yes, I also tested it. So, thinking about this again, if the access-policy "http" protocol allows or denies both of http & https at the same time, then this means that it does actually work for https. So the question now is whether there is any value in using access-policies to allow some users to access the web interface with HTTP and other users with HTTPS. And I don't quite see a use case for that. You probably want allow http/https, as you can do today, and then simply set the web-server to only operate with HTTPS. Why change the existing behaviour ?
Note that RESTCONF is using a different HTTP stack internally, hence the use of a different 8080 port number. So we would probably simply add "restconf" as another option under access-policies.
Note that RESTCONF is using a different HTTP stack internally, hence the use of a different 8080 port number. So we would probably simply add "restconf" as another option under access-policies.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-11-2022 03:33 PM
It appears (with early limited testing) that blocking HTTPS is done with HTTP. In other words, by denying/permitting HTTP, HTTPS is also denied/permitted. But it would be nice to have it explicitly shown.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-11-2022 09:27 AM
Raised with product management the fact that we are missing https in access-policies at the moment. As this is an easy change, it looks like this will be added in a future release.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
05-04-2022 05:38 PM
Did some digging and experimentation. access-policy will do great, except...
There are 5 services/ports that a VSP switch has open (according to nmap). 4 of them are listed in the access-policy to permit/deny. The missing one is https. So to limit access to a VSP switch, when I can't stop https:, is lacking. The only VSP commands I see are:
web-server enable
no web-server secure-only
We can limit http using access-policy, but not https. The only option is to disable web-server totally, but it is nice to use EDM, which requires web-server 🙂
Any thoughts???
Thanks.
There are 5 services/ports that a VSP switch has open (according to nmap). 4 of them are listed in the access-policy to permit/deny. The missing one is https. So to limit access to a VSP switch, when I can't stop https:, is lacking. The only VSP commands I see are:
web-server enable
no web-server secure-only
We can limit http using access-policy, but not https. The only option is to disable web-server totally, but it is nice to use EDM, which requires web-server 🙂
Any thoughts???
Thanks.
