ACL not working properly on 6860

[alcashite]

I am trying to enable a template ACL we have been using across our 6450 switches on our 6860 and it seems to be producing some strange results. The syntax is the same as the 6450 switches yet adding the same commands seems to kill DHCP even though our ACL explicitly includes the IP address of our DHCP servers.

Our config is

Code: Select all

policy network group Servers <IP ranges + specific IPs of our DHCP/DNS servers>

policy condition Server-Access-allow source vlan 1040 destination network group Servers
policy condition Server-Access-deny source vlan 1040 destination ip Any

policy action Allow
policy action Deny disposition drop

policy rule Server-Access1 precedence 20 condition Server-Access-allow action Allow
policy rule Server-Access2 precedence 19 condition Server-Access-deny action Deny

qos apply

The IP range for VLAN 1040 is included in the network group Servers as this group contains some /17 networks for various sites that we want to allow communication to.

Without the deny enabled I plug in a test PC to VLAN 1040 and get an IP address as expected. Once I enable the deny rule and release and renew my address the PC fails to get an IP. If I set the IP statically on the PC I get connectivity as expected and can access only the address range specified in our Servers network group range including our DHCP and DNS server.

Wireshark packet capture on a PC plugged into the port with the deny enabled shows only the DHCP requests going out of the PC and no other traffic. Our DHCP server is on another layer 3 and we are using IP helper to forward the request. The exact same config works fine on 6450.

Any ideas? Has the behaviour of ACLs on 6860s/AOS 8 changed?

Cheers

[silvio]

dhcp traffic is L3-broadcast. Destination IP is 255.255.255.255 - so your deny condition is matching them, but not the allow-condition.
So you can try to create one more allow-condition with this destination ip (and higher precedence) - or better to use the dhcp-ports (67/68) within your condition.
I think the 6450 is working as L2 switch. So maybe it is checking this - but I am not sure about this.
regards
Silvio

[alcashite]

Thank you, it was correct. Added below:

destination ip 255.255.255.255 destination udp-port 67-68

and it works fine. Must be difference between 6450 just being L2 with basic L3 and full proper L3 switch.

You are the Alcatel Guru!

[silvio]

[tsastre]

I have similar problem.
A configuration that is working on 6850E switches is not working on a 6860E switch. I want that hosts on 172.28.139.0/24 network have internet access but not access to internal network, except for internal DNS servers on 172.28.0.0/16 network.

My configuration is:

Code: Select all

policy service dns1 destination tcp-port 53 
policy service dns2 destination udp-port 53 
policy service group dns_ports dns1 dns2
  
policy network group INTERNAL 172.28.0.0 mask 255.255.0.0  
policy network group EXTERNAL 172.28.139.0 mask 255.255.255.0  
policy network group DNS_SERVERS <DNS servers IP addresses>  

policy condition INTERNET_ONLY source network group EXTERNAL destination network group INTERNAL 
policy condition DNS_request destination network group DNS_SERVERS service group dns_ports
 
policy action DENY disposition drop 
policy action ALLOW 

policy rule DNS_rule precedence 301 condition DNS_request action ALLOW
policy rule EXTERNAL condition INTERNET_ONLY action DENY 
qos apply

My problem is that hosts on 172.28.139.0/24 network have all traffic denied (to internal and internet network). If I delete "policy rule EXTERNAL condition INTERNET_ONLY action DENY" policy they have access to internal network and internet.

Any ideas or help?

Regards,
Teresa

[silvio]

here I can't find any explanation. Within the used condition you have a source and destination L3 condition.
So you have to check which other packets (necessary)do match this deny-policy. For this you can add the option "log" to the rule.
After that you can check with "show qos log" all the matched packets.
Did you check that the dns-rule is working (f.e. ping to an external IP is also not possible)?
regards
Silvio

[tsastre]

Hi Silvio,
Thank you for your response. This morning I added the log option to the rule and I saw denied traffic from hosts to their GW (172.28.139.1) and broadcast MAC address. This IP is the switch interface IP address. I allowed that traffic and after that I saw denied traffic from switch to hosts. Finally I added an allow rule for traffic from EXTERNAL to EXTERNAL and now it works. Something related to ACL have changed at AOS 8.

Regards,
Teresa

[silvio]

thanks for the reply/solution.
regards
Silvio