Dell N2048 Switch and IP ACL - I just killed part of my network...
-
@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
I thought it was the order of the ACLs (at least on Cisco stuff). Once there is a match, everything else is ignored.
I think you may well be right. But like I said above -- it has been a while for me.
Best I can tell @Jimmy9008 is to try it and let us know what happens, ha ha ha.
-
So... VMs moved. Rule applied based only on host.... and 3... 2... 1... still brought down everything trying to connect to anything on te1... current rule:
Ideas? Must be missing something obvious. Or is the dell firmware buggered!
-
@Jimmy9008 Why not turn on logging, and see if that shows you what's matching the rule.
-
@EddieJennings said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 Why not turn on logging, and see if that shows you what's matching the rule.
Logging is enabled now. But, no logs are being generated showing the dropped traffic.
-
@Jimmy9008 Is the traffic still being dropped?
-
@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 Is the traffic still being dropped?
Yep. Sadly. Should be a simple rule. Think host has to be fqdn?
-
You should have both source AND destination set to host.
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 Is the traffic still being dropped?
Yep. Sadly. Should be a simple rule. Think host has to be fqdn?
I doubt it. At this level, things only care about ip addresses most likely.
-
@dafyre said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
You should have both source AND destination set to host.
They are. Both source and destination are set to host.
-
Did you turn on logging? Did it show anything? Sometimes how something is logged can give a clue as to how it's matching a rule.
-
And it's still blocking traffic to the entire subnet?
Try removing and re-adding the rule to the interface?
-
... I've at least got it working. Its just, not ideal, I will contact Dell as it doesn't sound correct.
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
You have to specifically add a rule to allow something through. I have added IP for another machine on the LAN 2.x to be allowed to 2.41, and that one machine can contact 2.41.
The server 2.117 cannot, which is correct. But I cant imagine adding everything that needs access is manageable or maintainable...
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
... I've at least got it working. Its just, not ideal, I will contact Dell as it doesn't sound correct.
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
You have to specifically add a rule to allow something through. I have added IP for another machine on the LAN 2.x to be allowed to 2.41, and that one machine can contact 2.41.
The server 2.117 cannot, which is correct. But I cant imagine adding everything that needs access is manageable or maintainable...
Interesting, that sounds like a good basis for security. Modern firewalls do that to. Drop all that isn't expressly allowed.
Of course you can often change that.It's the blacklist vs whitelist approach.
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
... I've at least got it working. Its just, not ideal, I will contact Dell as it doesn't sound correct.
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
You have to specifically add a rule to allow something through. I have added IP for another machine on the LAN 2.x to be allowed to 2.41, and that one machine can contact 2.41.
The server 2.117 cannot, which is correct. But I cant imagine adding everything that needs access is manageable or maintainable...
Yeah. I feel like a fool for forgetting about the implicit deny.
If you wanted to allow the traffic except for the host in your rule, you'd have an allow all at the very end of the ACL. -
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
Seems like that should happen. If you apply an ACL and it doesn't do that, what good is the ACL?
-
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
So, turns out from the testing I've done, that once an ACL is applied to an interface, all traffic to that interface will drop. Even if no drop rules are added. Its all = deny as soon as ACL is added to te1.
Seems like that should happen. If you apply an ACL and it doesn't do that, what good is the ACL?
Agree. It works.
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.
-
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.
True, but since you always lock it down in that way on the devices own firewall, is a second copy of that with all of the management complexity that comes with it actually worth anything? There is a point where over the top security becomes self defeating and in this case it is completely redundant but adding a complex and difficult to control copy of something really simple and effective.
-
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@Jimmy9008 said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
@scottalanmiller said in Dell N2048 Switch and IP ACL - I just killed part of my network...:
What's the reason for adding firewalling in the middle of your network? Hostile hosts?
To lock some down, more layers = good. We have for example database server on te1. If we can deny all, but then only allow access to that server for webserver, and wsus... if any machine is compromised or what not, its somewhat restricted.
True, but since you always lock it down in that way on the devices own firewall, is a second copy of that with all of the management complexity that comes with it actually worth anything? There is a point where over the top security becomes self defeating and in this case it is completely redundant but adding a complex and difficult to control copy of something really simple and effective.
These are Windows Server VMs.
I'd rather stop any risk if I can before hitting the local windows firewall, with this additional layer for example, rather than only relying on the Microsoft one which will probably screw you over at the worst time.
How often do Microsoft updates cause issues, very... One of those issues affecting the firewall somehow, on a bad day, boom - something through. Probably wont happen, but Microsoft screw up a lot, so why not try to block that traffic before giving them a chance to mess up your day.
I'd only kick myself for not putting this layer in place if the local server firewall had a hiccup and let something through which the second layer may have prevented.
I've been thinking about it and think it will actually be simple to put in place now I know the particulars of the N2048.