[e-nsp] Good advice on Access Control Lists on ExtremeWare (root net)

root net rootnet08 at gmail.com
Tue Apr 22 08:07:05 EDT 2014


Thanks! I will check it out and test!


On Tue, Apr 22, 2014 at 6:10 AM, "Kuba" Dawid Chrzan <
dawid.chrzan at pszczyna.net.pl> wrote:

> Hi
>
> for blocking tcp/udp port ie. 21 - try
>
>  create access-mask TEST precedence 101 dest-L4port
>  create access-list TESTACL access-mask test dest-L4port 21 deny
>
> It is a little bit tricky on ExtremeWare with ACLs.
> You gave to setup propper acces mask list with propper precedences.
> Then setup acces list rules.
>
>  Send extreme-nsp mailing list submissions to
>>         extreme-nsp at puck.nether.net
>>
>> To subscribe or unsubscribe via the World Wide Web, visit
>>         https://puck.nether.net/mailman/listinfo/extreme-nsp
>> or, via email, send a message with subject or body 'help' to
>>         extreme-nsp-request at puck.nether.net
>>
>> You can reach the person managing the list at
>>         extreme-nsp-owner at puck.nether.net
>>
>> When replying, please edit your Subject line so it is more specific
>> than "Re: Contents of extreme-nsp digest..."
>>
>>
>> Today's Topics:
>>
>>    1. Good advice on Access Control Lists on ExtremeWare (root net)
>>
>>
>>
>> ----------------------------------------------------------------------
>>
>> Message: 1
>> Date: Mon, 21 Apr 2014 09:45:41 -0500
>> From: root net <rootnet08 at gmail.com>
>> To: Extreme NSP <extreme-nsp at puck.nether.net>
>> Subject: [e-nsp] Good advice on Access Control Lists on ExtremeWare
>> Message-ID:
>>         <CACdLqhW8A--Q93A5vVSEo2dT4PxB+LhcRhmpkJrYUnyNEkN40g at mail.
>> gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>>
>> Hello,
>>
>> Anyone have good advice on using ACLs on ExtremeWare, namely the BD 6808
>> MSM64i. I know it's old but have one left and never had ACLs on it just
>> used Cisco's around it. Now would like to put some security on it directly
>> as we plan to upgrade end of this year or next to ExtremeXOS supported
>> gear.
>>
>> Would like to accomplish:
>>
>> 1. BCP38
>> 2. Block couple ports switch wide
>> 3. Limit telnet/ssh to switch on all IPs assigned. (With Cisco this is
>> easy)
>>
>> For example with #3 if you have layer 3 VLANs now every gateway IP has
>> access to switch via telnet/ssh. With Cisco you could apply ACL to VTY and
>> it's done.
>>
>> For example with #2 block tcp/udp 135,137,138.139.445.
>>
>> For example with #1 prevent spoofing, and etc on ingress and egress.
>>
>> Also, it would be helpful if someone couple provide an example or provide
>> links to good resources.
>> I've read the reference command guide but not sure I understand correctly.
>>
>> Thanks,
>>
>> Any advice is appreciate for sure!
>> -------------- next part --------------
>> An HTML attachment was scrubbed...
>> URL:
>>
>> <https://puck.nether.net/pipermail/extreme-nsp/
>> attachments/20140421/12212996/attachment-0001.html>
>>
>> ------------------------------
>>
>> Subject: Digest Footer
>>
>> _______________________________________________
>> extreme-nsp mailing list
>> extreme-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/extreme-nsp
>>
>> ------------------------------
>>
>> End of extreme-nsp Digest, Vol 113, Issue 2
>> *******************************************
>>
>
> --
> Pozdrawiam
> "Kuba" Dawid Chrzan
> pszczyna.net.pl
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/extreme-nsp/attachments/20140422/b4fb8c70/attachment.html>


More information about the extreme-nsp mailing list