This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

VSP and ACL's (and some XMC)

VSP and ACL's (and some XMC)

XTRMUser
Contributor

‎04-12-2022 10:34 AM

First time poster. A few questions, but related. All VSP's are running VOSS 8.4.3.0

1. I'm trying to limit access to the some ERS switch IP addresses using ACL's. The switches IP addresses are in a VLan. So far, I have IP's of permitted users (network admins), IP's of XMC/NAC servers, deny everybody else. Because these switches have EAP enabled ports, I think I also need to permit IP's of DHCP servers. We are a Windows shop, so do I also need IP's of Active domain controllers/DNS servers?

2. I'm also trying to limit access to VSP switches, also using ACL's. These have CLIP addresses, and are not part of a VLan. Here are the first few lines of a regular inVlan ACL (in docs that I have seen so far).

filter acl 10 type invlan name "Limit access to VSP"
filter acl vlan 10 <vlan number>
filter acl ace 10 10 ...

Since the CLIP addresses are not part of a VLan, should I skip the 2nd line? Or leave it in with a dummy vlan number?

3. Finally, is there some good documentation on VOSS ACL's? I'm aware of https://download.avaya.com/css/public/documents/101008810, but wondering if there is an updated version? Or is there an Extreme/other course about this?

Thanks for any help.
0 Kudos
8 REPLIES 8

XTRMUser
Contributor

‎05-03-2022 09:51 AM

Thanks Sam and Ludovico. I'll pursue these avenues more.
0 Kudos

Ludovico_Steven
Extreme Employee

‎05-03-2022 05:27 AM

For (2), if you are trying to limit management access to the VSP, you should be looking at the access-policy configuration, rather than ACLs.
0 Kudos

SamPirok
Community Manager Community Manager
Community Manager

‎05-02-2022 07:32 AM

Hey there, thanks for your patience while we looked in to this. I would recommend checking out the Traffic Filtering section of the VOSS User Guide for help with 2 and 3.

8.6 VOSS User Guide
8.4 VOSS User Guide
0 Kudos

XTRMUser
Contributor

‎04-14-2022 04:44 PM

In response to #1, I went about solving this the other way. After the IP's of permitted users and XMC/NAC, I'm blocking ports 21,22,23,80,443 and UDP 161. This allows regular EAP traffic, but blocks control access of the switches (which is what I'm after). Unless I missed a port.

I still don't know what do about #2 and #3. Any help is appreciated.​​​
0 Kudos
GTM-P2G8KFN