Network Architecture & Design

Expand all | Collapse all

ACL to allow traffic to specified ports on a subnet

  • 1.  ACL to allow traffic to specified ports on a subnet

    Posted 02-14-2018 13:44
    I have a situation where I need to restrict traffic from a specified client subnet to another server subnet. I have done this by creating a blanket deny between subnets which works fine.

    I now need to allow traffic between the same two subnets but only for a specific port number.

    I cannot seem to get this to function. The policy check commands come back as passed OK.

    When the blanket deny between subnets is removed I can access the port I need to from the client subnet.

    I have included examples from my ACL below and the "allow" is above the "deny" in the ACL.

    entry Allow_server_to_client {
    if {
    source-address aaa.bbb.0.0/16; (client)
    protocol tcp;
    destination-address ccc.ddd.195.0/24; (server)
    destination-port 13087;
    }
    then {
    permit;
    }
    }

    entry Deny_server_to_client {
    if match all {
    source-address aaa.bbb.0.0/16 ;
    destination-address ccc.ddd.0.0/16 ;
    }
    then {
    deny ;
    }
    }



  • 2.  RE: ACL to allow traffic to specified ports on a subnet

    Posted 02-20-2018 12:11
    Try "if match all" on the first expression as well

    I honestly cannot remember the default on XOS



  • 3.  RE: ACL to allow traffic to specified ports on a subnet

    Posted 02-20-2018 12:24
    Have you refreshed the policy ?
    refresh policy


  • 4.  RE: ACL to allow traffic to specified ports on a subnet

    Posted 02-20-2018 12:34
    All

    I had been doing a policy check and refresh without success.... What I did find is that specifying "if match all" seemed to do the trick. I have no idea why as by default (apparantly) "if match all" is implied. Either way I got it going but thanks for the replies.

    cheers

    Rich


  • 5.  RE: ACL to allow traffic to specified ports on a subnet

    Posted 02-20-2018 12:34
    Thanks Simon for your help :-)

    cheers