× NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Orbi WiFi 7 RBE973
Reply

ACL rules M4300

spopuri
Aspirant

ACL rules M4300

I would like to create extended ACL's to allow only DHCP and DNS from a subnet to a server.

 

 

 

 

Model: GSM4328PA|M4300-28G-PoE+ - 24x1G PoE+ Stackable Managed Switch with 2x10GBASE-T and 2xSFP+ (550W PSU)
Message 1 of 12

Accepted Solutions
Retired_Member
Not applicable

Re: ACL rules M4300

@spopuri 

 

On Web GUI, when you create new rule for the IP ACL, only need input 4 fields as below, all other parameter just keep default config:

Sequence Number: input any value is ok;

Action: Permit

Protocol Type: UDP

Dst L4: input 53/67/68

 

IP ACL_permit UDP Dst Port.png

 

The ending deny everything rule is default behavior, no need config by manual.

 

Then go to 'IP Binding Configuration' page, select the correct port that you want to apply this IP ACL rule.

 

View solution in original post

Message 8 of 12

All Replies
Retired_Member
Not applicable

Re: ACL rules M4300

Hi @spopuri ,

 

Welcomet to Community!

 

Suggest you config IP ACL to meet your requirement.

As both DHCP and DNS is based on UDP protocol, so you can create one IP ACL with 3 rules(permit udp destination port 53/67/68). Then binding the IP ACL to the pyhsical port or VLAN.

For detailed ACL configuration, please refer to link (Software Administration Manual: Page 171)

 

Below is the example config:

 

ip access-list test
permit udp any any eq domain
permit udp any any eq 67
permit udp any any eq 68
exit


interface 1/0/1
ip access-group test in 1
exit

 

Hope it helps!

 

Regards,

Eric

Message 2 of 12
spopuri
Aspirant

Re: ACL rules M4300

Thanks, Eric, I would like to do this in the web interface. Is it possible to give me an example?

 

Should I mention the port number in the source and destination

Message 3 of 12
LaurentMa
NETGEAR Expert

Re: ACL rules M4300

Hi,

The examples for both CLI and Web GUI are in the Software Administration Manual starting page 172 (ACL chapter). That's Eric indicated the link to it.

https://www.netgear.com/support/product/m4300.aspx#docs

Specifically, http://www.downloads.netgear.com/files/GDC/M4300/M4300_SWA_EN.pdf

Unlike other manuals presenting all commands, the Software Administration Manual is a collection of real word examples with explained config.

I hope it will help you, please let us know how it goes
Message 4 of 12
spopuri
Aspirant

Re: ACL rules M4300

Please see the attached screenshot. Let me know if that is right?

Message 5 of 12
LaurentMa
NETGEAR Expert

Re: ACL rules M4300

I think the source IP should be any and Destination IP should be any too. Only differentiation is on the three UDP ports Eric provided above. The ACL then would be ending with Deny everything at the end in your case. We bind the ACL to the ports in the ingress direction (traffic coming to the interface).
Message 6 of 12
spopuri
Aspirant

Re: ACL rules M4300

I think the source IP should be any and Destination IP should be any too. - How can I write any IP. Is it 0.0.0.0

 

 

Only differentiation is on the three UDP ports Eric provided above. - I have written 3 ACL's. one for port 67, one for port 68 and one for port 53(domain)

 

 

 

The ACL then would be ending with Deny everything at the end in your case. We bind the ACL to the ports in the ingress direction (traffic coming to the interface) - Do you mean I have to write an ACL at the end of this named ACL to deny everything else. Please see attached screenshot for deny everything else

 

 

Message 7 of 12
Retired_Member
Not applicable

Re: ACL rules M4300

@spopuri 

 

On Web GUI, when you create new rule for the IP ACL, only need input 4 fields as below, all other parameter just keep default config:

Sequence Number: input any value is ok;

Action: Permit

Protocol Type: UDP

Dst L4: input 53/67/68

 

IP ACL_permit UDP Dst Port.png

 

The ending deny everything rule is default behavior, no need config by manual.

 

Then go to 'IP Binding Configuration' page, select the correct port that you want to apply this IP ACL rule.

 

Message 8 of 12
spopuri
Aspirant

Re: ACL rules M4300

Don't I have to mention the port number in the source L4?

 

 

Message 9 of 12
Retired_Member
Not applicable

Re: ACL rules M4300

@spopuri 

 

Yes, correct. Only need limit destionation L4 port.

Message 10 of 12
spopuri
Aspirant

Re: ACL rules M4300

@Retired_Member: Thank you very much for your response.

 

I will also create another ACL to allow traffic on certain ports from clients to server. Whereas in the destination IP I will mention the server's IP address.

 

Thanks,

Sravan 

Message 11 of 12
Retired_Member
Not applicable

Re: ACL rules M4300

@spopuri 

 

Not suggest limit destination IP with Server's IP address, as on DHCP protocol is bidirectional packet(Client<->Server, and Discover/Request packet is broadcast----mean DIP is broadcast IP, not Server's IP, Offer/ACK/Release is Unicast--maybe SIP/DIP is Server's IP). If you only allowed DIP=Server's IP, it will casue some DHCP packet are dropped by ACL rules, then Client cannot get IP address from Server.

Message 12 of 12
Top Contributors
Discussion stats
  • 11 replies
  • 3685 views
  • 3 kudos
  • 3 in conversation
Announcements