Sorry for delay in reply, I've needed time to make a research. I’ve spoken with colleagues from Networking Team, however it is a configuration question and device is out of warranty, so there is a limit in troubleshooting steps, which could be provided. It is recommended to contact phone support for enterprise Configuration & Deployment, maybe this document could be useful:
PBR does however provide a way to drop a packet if desired. By using the set interface null0 command, users can drop any packet that matches the criteria on a permit statement. Simply add the following set statement to your permit sequence.
Thank you for your reply. Did you already try to apply this command? I would also like to recommend you contact phone support, if you have active warranty, because support can check logs and also could check the configuration.
Thanks, Maria Januszka #IWork4Dell Dell | Social Outreach Services - Enterprise
Since you cannot use a match statement on a route-map with the set interface null0, how would you actually implement a rule that blocks access to a specific network?
!-- What the DMZ hosts are allowed to access on the LAN
route-map "dmz-map" deny 10
Match clauses:
ip address (access-lists) : dmz-lan-allowed
Set clauses:
!-- select hosts routing out 2nd ISP
route-map "dmz-map" permit 20
Match clauses:
ip address (access-lists) : dmz-twc-outbound
Set clauses:
ip default next-hop 172.27.12.3
!-- MAGIC PERMIT/DENY 30 RULE
!-- the default packet dropper. I need to add a "match" to this to only
!-- drop dmz-lan-denied, but I can't put a "match" on this.
route-map "dmz-map" permit 40
Match clauses:
Set clauses:
interface null0
I would need to implement a deny 30 that matched everything that wasn't the in dmz-lan-denied ACL. How would I do that?
ip access-list dmz-lan-denied
1000 permit ip 172.27.3.0 0.0.0.255 172.27.9.0 0.0.0.255
1010 permit ip 172.27.3.0 0.0.0.255 172.27.10.0 0.0.0.255
1020 permit ip 172.27.3.0 0.0.0.255 172.27.15.0 0.0.0.255
1030 permit ip 172.27.3.0 0.0.0.255 172.27.30.0 0.0.0.255
exit
Thank you for your reply. May I please ask you to provide Service Tag and location of the switch in Private Messages? I would like to contact colleagues from Networking Team and I need this information.
Thanks, Maria Januszka #IWork4Dell Dell | Social Outreach Services - Enterprise
Dell- Maria J
3 Apprentice
•
278 Posts
0
November 19th, 2021 07:00
Hello JSL2,
Sorry for delay in reply, I've needed time to make a research. I’ve spoken with colleagues from Networking Team, however it is a configuration question and device is out of warranty, so there is a limit in troubleshooting steps, which could be provided. It is recommended to contact phone support for enterprise Configuration & Deployment, maybe this document could be useful:
https://dell.to/32hEbG6
Also my colleagues recommended as a troubleshooting step to use ip prefix-list from this document:
https://dell.to/3FxEV8s p. 1430, but it won’t work exactly as you described, it should still deny access.
Please let us know, if you have any questions.
Thank you
Maria Januszka
#IWork4Dell
Dell | Social Outreach Services - Enterprise
Dell- Maria J
3 Apprentice
•
278 Posts
0
November 15th, 2021 04:00
Hello JSL2,
Thank you for choosing Dell.
Did you try to apply follow command:
console(config-route-map)#set interface null0
PBR does however provide a way to drop a packet if desired. By using the set interface null0 command, users can drop any packet that matches the criteria on a permit statement. Simply add the following set statement to your permit sequence.
Source:
https://dell.to/323eMjj p.20
Please ask me if you have any questions.
Maria Januszka
#IWork4Dell
Dell | Social Outreach Services - Enterprise
JSL2
1 Rookie
•
10 Posts
0
November 15th, 2021 07:00
No I haven't tried the command yet. I'm going to wait until non-business-hours. This device is not under support unfortunately.
Dell- Maria J
3 Apprentice
•
278 Posts
0
November 15th, 2021 07:00
Hello JSL2,
Thank you for your reply. Did you already try to apply this command?
I would also like to recommend you contact phone support, if you have active warranty, because support can check logs and also could check the configuration.
Thanks,
Maria Januszka
#IWork4Dell
Dell | Social Outreach Services - Enterprise
JSL2
1 Rookie
•
10 Posts
0
November 15th, 2021 07:00
Ah ok, so the idea would be not to use ip group-access at all, and just put all of the port restricting/firewalling into the PBR?
JSL2
1 Rookie
•
10 Posts
0
November 15th, 2021 17:00
Since you cannot use a match statement on a route-map with the set interface null0, how would you actually implement a rule that blocks access to a specific network?
!-- What the DMZ hosts are allowed to access on the LAN route-map "dmz-map" deny 10 Match clauses: ip address (access-lists) : dmz-lan-allowed Set clauses: !-- select hosts routing out 2nd ISP route-map "dmz-map" permit 20 Match clauses: ip address (access-lists) : dmz-twc-outbound Set clauses: ip default next-hop 172.27.12.3!-- MAGIC PERMIT/DENY 30 RULE
!-- the default packet dropper. I need to add a "match" to this to only !-- drop dmz-lan-denied, but I can't put a "match" on this. route-map "dmz-map" permit 40 Match clauses: Set clauses: interface null0
I would need to implement a deny 30 that matched everything that wasn't the in dmz-lan-denied ACL. How would I do that?
Dell- Maria J
3 Apprentice
•
278 Posts
0
November 16th, 2021 03:00
Hello JSL2,
Thank you for your reply. May I please ask you to provide Service Tag and location of the switch in Private Messages? I would like to contact colleagues from Networking Team and I need this information.
Thanks,
Maria Januszka
#IWork4Dell
Dell | Social Outreach Services - Enterprise
JSL2
1 Rookie
•
10 Posts
0
November 16th, 2021 18:00
I PM'ed you that information
JSL2
1 Rookie
•
10 Posts
0
November 22nd, 2021 18:00
Well, thanks for the response anyway!