ACL on DELL N3000 Series VLAN/Access Ports

Hello,

I'll do some research on it, in the meantime, it depends on how ports are configured, please can you share the config?

Thanks

The problem could be that the access ports are untagged traffic so it doesn't check the VLAN ACL. Try to create port level ACL for the access ports, that should resolve it

Hello,

as I wrote in the beginning, the ports are tagged.

Here are some parts of the switch configuration:

Interface:

interface vlan 2200
ip address 10.186.160.10 255.255.224.0
ip helper-address 10.185.16.128
ip access-group INTERNETONLY in 1
exit

Port:

interface Gi1/0/5
service-policy in DiffServ
description "MacMini"
switchport access vlan 2200
lldp tlv-select system-description system-capabilities
lldp notification
exit

Traffice that is normally denied by the ACL (and confirmed) is switched on this port somehow not checked against the ACL..

On a trunk port on the same switch (connected to an access switch where tagging is done on the access switch) the ACL works.

Later the day, I will try to change the port to general or trunk to see if the ACLs will be used.

Of course, I can try to use port level ACLs, but this is not the way I want to deal with hundreds of ports in our network.

Florian

Hi Florian, thanks for the information. I wanted to add an article to this post for the community. You might already be aware of this article but if not please also check this How to configure IP ACL in DELL Networking N-Series Switches | Dell UK 

That is what happening to me also. Have you figured it out yet? If yes then let me know thank you

Hello,

no I haven't found a solution yet (but I didn't really investigate up to now due of lack of time). In my feeling, somebody from DELL should reply. I'm waiting for a reply of Marco B.

It's very hard to get an official answer from DELL, sorry for saying this.

Florian

Hello Marco,

Unfortunately I'm remote and can't access the switch physically. Maybe I can do it in a few days.

Your proposal is to mirror the port and check if the traffic on the mirrored port is tagged? Or how shall I check if the switch is tagging correctly? I am also not sure if the mirrored port will show exactly the incoming traffic or the traffic after tagging.

Do you really think this general feature is malfunctioning? For what else do we have a port tagging on a DELL switch?

Anyway, let me know how to perform the test for tagging. I can handle wireshark quite well.

Firmware is up to date.

Regards

Florian

Hello,

plase can you try the suggested steps?

Try to use wireshark and see if the ports are tagging the traffic. I am not sure that the access port is tagging the traffic just that all untagged traffic is on that vlan.

Can you check also that the firmware version on the switches is up to date?

Thanks

Hello BeiDerArbeit,

Have you checked your policy-map to specify in or out?

• policyname— Specifies the DiffServ policy name as a unique case sensitive alphanumeric string of characters. (Range: 1–31 alphanumeric characters.)

• in—The policy is applied on ingress. Must be specified to create new DiffServ policies. An existing policy can be selected without specifying “in” or “out”.

• out—The policy is applied on egress. Either “in” or “out” must be specified to create a new DiffServ policy. An existing policy may be selected without the “in” or “out” parameter

Page 767

https://dell.to/3IdFAjd

I'll check with Marco about the testing he suggested.

Hello Charles,

Thank you for checking with Marco.

In fact, your hint checking the policy-map was a step in the right direction. We have enabled the DiffServ policy on all ports (ingress). If I remove the DiffServ policy from this port the ACLs are applied and the ingress traffic is filtered.

Adding the policy again the traffic bypasses the ACLs obviously.

------------------------------------------------

DiffServ Configuration:

class-map match-all AnyIPv4
match any
exit
policy-map DiffServ in
class AnyIPv4
exit

------------------------------------------------

In my understanding, moving/sorting traffic in different queues should not bypass ingress ACLs.

What do you think, ist this a correct behaviour?

Regards

Florian

I don't think changing queues  will do it, please check this thread that can helps

Solved: Policy Based Routing on N3000 Series - Page 2 - Dell Community

Thanks

Hello Marco und Charles,

Thank you for your reply. The link you mentioned explains a different problem: Policy Based Routing can't be used in combination with ACLs -> you have to include the ACLs in the PBR. By the way, I started that topic. However, PBR is not used on the switch I discuss here.

Once again, I would like to know, if the behavior of the switch is correct:

Ingress DiffServ on a VLAN tagged port (access port with VLAN) in combination with ingress VLAN ACLs (ACL is attached to the VLAN interface) results in bypassing the VLAN ACLs.

Please try to get an official answer as soon as possible, it is a security issue in our settings. In addition, I need to know how to fix this or I would need a workaround for this.

Regards

Florian

Hello, 

the switch is still under warranty? If so you can try to call our technical support, to better analyze the issue and logs. You have to know also that if the issue is related to the configuration, you need to buy a configuration ticket and our network specialist can help you to fine tuning your infrastructure, and help you in the right configuration of the VLANs.

Thanks