Dell N2048 Switch and IP ACL - I just killed part of my network...

Jimmy9008

Hey folks,

I'm setting up ACL on Dell N2048 switch.
I have host hooked up to te1 (10 GbE Interface 1). That host has a VM. The VM has IP 192.168.2.41/24.

We have another server 192.168.2.117/24. This connects to the N2048 via one of the 1GbE interfaces.

I setup the ACL rule based on IP, and applied to te1 as below:

Looks simple enough to me. Source 2.117, deny, destination 2.41, on te1...

Yet, upon applying the rule... all VMs sitting on the host plugged in to te1 become unavailable to all devices on the LAN, not just 2.117. Removal of the rule restored access instantly. So yah, killed part of my live network - but, I cannot see why. The screenshot looks simple enough but I must be missing something.

In the documentation 0.0.0.255 should be used for /24.

So, what am I missing?

Ta,
Jim

Jimmy9008

This is the rule, applying the rule to te1 is done on a different page. But is literally selecting the interface and the rule, and clicking apply. So wont bother with that image.

dafyre

What happens if you choose the "HOST" option instead of IP and Mask? The Wildcard Mask you are using says "everything on this subnet" if I remember right.

Jimmy9008

I actually have not tried yet and wanted to do some research first before killing production again

Jimmy9008

So, select host only, and use the machine FQDNs?

dafyre

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, select host only, and use the machine FQDNs?

I would use the IP addresses.

EddieJennings

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, select host only, and use the machine FQDNs?

And you'll probably have to change the wildcard mask to match all parts of the IP of the host.

Jimmy9008

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, select host only, and use the machine FQDNs?

Yep, will do. I shall move critical VMs to the te2 and then try.

Jimmy9008

@EddieJennings

@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, select host only, and use the machine FQDNs?

And you'll probably have to change the wildcard mask to match all parts of the IP of the host.

Can ip be used with host selected, but mask left empty you think?

dafyre

If you pick host, I think Wildcard Mask may not even be used.

Jimmy9008

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@EddieJennings

@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, select host only, and use the machine FQDNs?

And you'll probably have to change the wildcard mask to match all parts of the IP of the host.

Can ip be used with host selected, but mask left empty you think?

With host selected, wild card is defaulted to 0.0.0.0 and disabled. So cannot edit that anyway with host selected.

EddieJennings

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@EddieJennings

@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, select host only, and use the machine FQDNs?

And you'll probably have to change the wildcard mask to match all parts of the IP of the host.

Can ip be used with host selected, but mask left empty you think?

With host selected, wild card is defaulted to 0.0.0.0 and disabled. So cannot edit that anyway with host selected.

That makes sense as the wildcard would be 0.0.0.0.

dafyre

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@EddieJennings

@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, select host only, and use the machine FQDNs?

And you'll probably have to change the wildcard mask to match all parts of the IP of the host.

Can ip be used with host selected, but mask left empty you think?

With host selected, wild card is defaulted to 0.0.0.0 and disabled. So cannot edit that anyway with host selected.

That's probably the option you are looking for then.

*puts on a dang helmet and hides under desk.*

Ready when you are!

Jimmy9008

@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@EddieJennings

@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, select host only, and use the machine FQDNs?

And you'll probably have to change the wildcard mask to match all parts of the IP of the host.

Can ip be used with host selected, but mask left empty you think?

With host selected, wild card is defaulted to 0.0.0.0 and disabled. So cannot edit that anyway with host selected.

That's probably the option you are looking for then.

*puts on a dang helmet and hides under desk.*

Ready when you are!

Have to move some critical VMs off of that interface before trying again first.
With the N2048's, does deny take precedence over allow?

For example, can I deny range 192.168.2.60 - 80 first. Then next following rule allow 192.168.2.69 only? Or would deny stick?

dafyre

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@EddieJennings

@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

So, select host only, and use the machine FQDNs?

And you'll probably have to change the wildcard mask to match all parts of the IP of the host.

Can ip be used with host selected, but mask left empty you think?

With host selected, wild card is defaulted to 0.0.0.0 and disabled. So cannot edit that anyway with host selected.

That's probably the option you are looking for then.

*puts on a dang helmet and hides under desk.*

Ready when you are!

Have to move some critical VMs off of that interface before trying again first.
With the N2048's, does deny take precedence over allow?

For example, can I deny range 192.168.2.60 - 80 first. Then next following rule allow 192.168.2.69 only? Or would deny stick?

That I'm not sure about.

IIRC, on Cisco and HP devices, it's allow and then deny. It's been a while since I've had to test that theory though, so don't quote me on it.

EddieJennings

I thought it was the order of the ACLs (at least on Cisco stuff). Once there is a match, everything else is ignored.

dafyre

@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

I thought it was the order of the ACLs (at least on Cisco stuff). Once there is a match, everything else is ignored.

I think you may well be right. But like I said above -- it has been a while for me.

Best I can tell @Jimmy9008 is to try it and let us know what happens, ha ha ha.

Jimmy9008

Once the critical VMs are moved, I shall have a play and see.

Jimmy9008

@dafyre

@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:

I thought it was the order of the ACLs (at least on Cisco stuff). Once there is a match, everything else is ignored.

I think you may well be right. But like I said above -- it has been a while for me.

Best I can tell @Jimmy9008 is to try it and let us know what happens, ha ha ha.

Jimmy9008

So... VMs moved. Rule applied based only on host.... and 3... 2... 1... still brought down everything trying to connect to anything on te1... current rule:

Ideas? Must be missing something obvious. Or is the dell firmware buggered!