ExtremeSwitching (EXOS)

  • 1.  Further ACL problems

    Posted 01-07-2014 21:54
    Create Date: Jul 12 2012 4:07AM

    OK here's a challenge. How to permit IP and ICMP Pings from a list of 40 subnets in an ACL.Should be straightforward? I thought so until I tried and realised the resulting ACL would be (40*8)+(40*7)=600 lines long!For each network I need the following (sorry about the lack fo formatting, presently neither IE or Chrome will persuade the forum to accept linefeeds or an attachment!!!)entry name {description "xxx" if { source-address x.x.x.x/x; protocol icmp; icmp-type 8; } then {permit;}}entry name {description "xxx" if { source-address x.x.x.x/x; protocol ip; } then {permit;}}Surely I must be wrong? (from David_Rickard)


  • 2.  RE: Further ACL problems

    Posted 01-07-2014 21:54
    Create Date: Jul 12 2012 2:15PM

    Can you agregate some subnets 🙂 ?
    For example x.x.x.x/24 and y.y.y.y/24 to z.z.z.z/23 ?

    --
    Jarek (from Jaroslaw_Kasjaniuk)


  • 3.  RE: Further ACL problems

    Posted 01-07-2014 21:54
    Create Date: Jul 13 2012 1:10AM

    Not really, the thing is that's only the main part, there is still more where port/protocol check are needed so the whole ACL expands to over 800 lines when really there are only 100 lines in there that actually do anything - the rest is just pointless fluff around each actual ACE (from David_Rickard)