Ethernet Switches & Routers

Reply
Highlighted
Occasional Contributor
Posts: 5
Registered: ‎01-26-2011
Accepted Solution

ACL not allowing DNS

I'm having issues with ACL not allowing DNS lookup.    DHCP works, but DNS is not.  We also use split-brain, both private and public DNS servers for things to work correctly.  The ACL is applied to the VE interface.  In this case it is VE 74 and that is where my guest Wi-Fi devices live.

 

access-list 122 deny ip any 10.10.50.0 0.0.0.255

access-list 122 deny ip any 10.10.60.0 0.0.0.255

access-list 122 deny ip any 10.10.70.0 0.0.0.255

access-list 122 deny ip any 10.10.72.0 0.0.0.255

access-list 122 deny ip any 10.10.76.0 0.0.0.255

access-list 122 deny ip any 10.10.90.0 0.0.0.255

access-list 122 deny ip any 10.10.210.0 0.0.0.255

access-list 122 deny ip any 10.20.210.0 0.0.0.255

access-list 122 deny ip any 10.10.15.0 0.0.0.255

access-list 122 deny ip any 10.20.15.0 0.0.0.255

access-list 122 permit udp any any eq bootps

access-list 122 permit udp 10.10.74.0/24 host 10.10.50.118 eq dns

access-list 122 permit tcp 10.10.74.0/24 host 10.10.50.118 eq dns 

access-list 122 permit udp 10.10.74.0/24 host 10.10.50.125 eq dns

access-list 122 permit tcp 10.10.74.0/24 host 10.10.50.125 eq dns 

access-list 122 permit ip any any

 

I cant figure out why the lines in red are not working as I think they should.   I have tried using " any any" instead of specifying host.

Thoughts or suggestions? 

Thanks,

 

Kenny

 

Brocade Moderator
Posts: 236
Registered: ‎06-30-2010

Re: ACL not allowing DNS

Hi Kenny,

 

It appears to me that the first line of your ACL

 

access-list 122 deny ip any 10.10.50.0 0.0.0.255

 

Would deny access to your DNS host 10.10.50.118 & 10.10.50.125 as ACL will be processed from beginning and once a match is reached no further lines are processed

 

This line would have to be after the DNS permits e.g.

 

access-list 122 permit udp 10.10.74.0/24 host 10.10.50.118 eq dns
access-list 122 permit tcp 10.10.74.0/24 host 10.10.50.118 eq dns 
access-list 122 permit udp 10.10.74.0/24 host 10.10.50.125 eq dns
access-list 122 permit tcp 10.10.74.0/24 host 10.10.50.125 eq dns
access-list 122 deny ip any 10.10.50.0 0.0.0.255

 

Regards

Mick


If my response has solved your query please click the "Accept as Solution" button.

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers.

All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider.
Occasional Contributor
Posts: 5
Registered: ‎01-26-2011

Re: ACL not allowing DNS

HAHA!  Thanks for pointing out the rookie mistake.   It worked!

Brocade Moderator
Posts: 236
Registered: ‎06-30-2010

Re: ACL not allowing DNS

Hi Kenny,

 

It happens to us all Smiley Embarassed

 

Glad it worked, would you mind marking this as solved

 

Best regards

Mick


If my response has solved your query please click the "Accept as Solution" button.

Any and all information provided by me is not reviewed, approved or endorsed by Brocade and is provided solely as a convenience for Brocade customers.

All systems and all networks are different and unique. If you have a service affecting network problem, please open a TAC service request for service through Brocade, or through your OEM equipment provider.
Frequent Contributor
Posts: 124
Registered: ‎07-20-2015

Re: ACL not allowing DNS

[ Edited ]


For the general purpose of traffic control, there are generally two(2) types of access lists.

 

Those that allow only certain things:


<Permit this>
<Permit that>
<Implicit Deny All>

 

and those that deny specific things:

 

<Deny this>
<Deny that>
<Explicit Permit All>
<Implicity Deny All>

 

As you already know... there is an implict deny at the end hence you put in an <Explicit Permit All>...

Looking at your ACL you have

 

<Deny this>
<Deny that>
<Permit this>
<Permit that>
<Explicit Permit ALL>
<Implicit Deny All>

 

Essentially it is not logical to me. For example this statement:

 

access-list 122 permit udp 10.10.74.0/24 host 10.10.50.118 eq dns
access-list 122 permit tcp 10.10.74.0/24 host 10.10.50.118 eq dns
access-list 122 permit udp 10.10.74.0/24 host 10.10.50.125 eq dns
access-list 122 permit tcp 10.10.74.0/24 host 10.10.50.125 eq dns
access-list 122 permit ip any any

 

You may as well consolidate to:
access-list 122 permit ip any any


The only other reason to leave all those entries is if you are watching the Access List counters.


I guess what I am saying is you should do your permits first:

 


access-list 122 permit udp any any eq bootps
access-list 122 permit udp 10.10.74.0/24 host 10.10.50.118 eq dns
access-list 122 permit tcp 10.10.74.0/24 host 10.10.50.118 eq dns
access-list 122 permit udp 10.10.74.0/24 host 10.10.50.125 eq dns
access-list 122 permit tcp 10.10.74.0/24 host 10.10.50.125 eq dns

access-list 122 deny ip any 10.10.50.0 0.0.0.255
access-list 122 deny ip any 10.10.60.0 0.0.0.255
access-list 122 deny ip any 10.10.70.0 0.0.0.255
access-list 122 deny ip any 10.10.72.0 0.0.0.255
access-list 122 deny ip any 10.10.76.0 0.0.0.255
access-list 122 deny ip any 10.10.90.0 0.0.0.255
access-list 122 deny ip any 10.10.210.0 0.0.0.255
access-list 122 deny ip any 10.20.210.0 0.0.0.255
access-list 122 deny ip any 10.10.15.0 0.0.0.255
access-list 122 deny ip any 10.20.15.0 0.0.0.255

access-list 122 permit ip any any

 

 

Occasional Contributor
Posts: 5
Registered: ‎01-26-2011

Re: ACL not allowing DNS

I have already accepted the solution and that was because of the order of things was my basic issue.  However,  I do understand what you are saying and it does clean up the solution somewhat.   This was my first attempt at an ACL so there was a learning curve for a rookie.  This whole requirment came out of not allwoing BYOD devices connecting to our network the ability to do anything but check e-mail and goto the internet.   

 

Thanks for your added imput as I found it very useful also.

 

 

Frequent Contributor
Posts: 124
Registered: ‎07-20-2015

Re: ACL not allowing DNS

[ Edited ]

Good to hear.  It might be easier to just block all the RFC1918 private networks  (10.x.x.x, 172.16.x.x - 172.31.x.x, 192.168.x.x) with the exception the BYOD folks probably need access to your DHCP and DNS internal.

 

Something like this might be mor along the lines of what you are looking to do and a bit more future-proof:

 

 

permit upd any any eq dns
permit udp any any eq 67

permit udp any any eq 68

deny ip any 10.0.0.0/8

deny ip any 172.16.0.0/12

deny ip any 192.168.0.0/16

permit tcp any any eq http

permit tcp any any eq https

 

 

If the guests are all from 10.10.74.0/24 then you could make it:

 

 

 

permit upd 10.10.74.0/24 any eq dns
permit udp 10.10.74.0/24 any eq 67

permit udp 10.10.74.0/24 any eq 68

deny ip 10.10.74.0/24 10.0.0.0/8

deny ip 10.10.74.0/24 172.16.0.0/12

deny ip 10.10.74.0/24 192.168.0.0/16

permit tcp 10.10.74.0/24 any eq http

permit tcp 10.10.74.0/24 any eq https

Join the Community

Get quick and easy access to valuable resource designed to help you manage your Brocade Network.