ExtremeSwitching (EXOS)

Expand all | Collapse all

acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

  • 1.  acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

    Posted 07-26-2021 13:28

    I’m getting this error on an exos switch when trying to refresh a policy

    Line 29 : Protocol needs to be set to TCP or UDP, before setting "destination-port".

     

    Here’s an example what I added.

    entry acl1_deny36 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.16/32; destination-port 80;} then { count acl1_http_deny; deny;}}

     

     

    Here is an example of some lines that work:

    entry acl1_deny28 { if { protocol udp; source-address 0.0.0.0/0; destination-address 10.80.2.28/32; destination-port snmp;} then { count acl1_snmp_deny; deny;}}

    entry acl1_denyr1 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.4.0/24; destination-port 873;} then { count acl1_rsync_deny; deny;}}
     

    Can anyone tell me why I can’t deny port 80 the same why I deny port 873 or snmp?



  • 2.  RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

    Posted 07-26-2021 13:35

    It reports an error on line 29, is that line you show line 29 ?



  • 3.  RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

    Posted 07-26-2021 13:37

    Yes i just took an exceprt.  I didn’t want to do the whole config.

     

    But look at what does work vs the one that doesn't.  The syntax is literally identical.

    protocol <tcp or udp>;source-address; destination-address; destination-port; then the action.



  • 4.  RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

    Posted 07-26-2021 13:40

    That entry just works if I try it.

    I think there is something else wrong in your policy.

    Do  a check policy <ACL> and see what it returns.



  • 5.  RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

    Posted 07-26-2021 13:55

    oh shoot it was the bottom line to allow just IT subnet access to that device.

     

    I pasted the whole group in and though it was the start of the newest line.

     

    entry acl1_permit { if { protocol tcp; source-address 10.7.0.0/16; destination-address 0.0.0.0/0; destination-port 80;} then { permit;}}
     

    It blocks it completely though.  So the last permit is not allowed anyway.  Though I’m RDPing so I dont know what the system sees me as, the pc i’m RDP’d to in that subnet, or my VPN IP address which is in the 192.168 range.



  • 6.  RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

    Posted 07-26-2021 14:05

    I got it to work by putting my permit above the denies.

     

    entry acl1_perm80 { if { protocol tcp; source-address 10.7.0.0/16; destination-address 0.0.0.0/0; destination-port 80;} then { permit;}}
    entry acl1_deny36 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.16/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny37 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.17/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny38 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.18/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny39 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.19/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny40 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.20/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny41 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.21/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny42 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.22/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny43 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.23/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny44 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.24/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny45 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.25/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny46 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.26/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny47 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.27/32; destination-port 80;} then { count acl1_http_deny; deny;}}
    entry acl1_deny48 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.28/32; destination-port 80;} then { count acl1_http_deny; deny;}}
     

     



  • 7.  RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

    Posted 07-26-2021 19:50

    Hey can I put comments in an acl file? 

    If so whats the escape character ?  
    Example
    // Allow only IT access to idrac

    entry (something defining IT)  permit

    entry (everyone else) deny