cancel
Showing results for 
Search instead for 
Did you mean: 

ACL ingress traffic only permit counts

ACL ingress traffic only permit counts

Mareen
New Contributor
Hi,

I created an ACL on a X460 applied it to the vlan and tested the traffic. The traffic is blocked but (connection refused) only the counter for permit counts... maybe I am doing something wrong here, do you got any suggestions for me?

Here is the ACL:

entry esx1_coop{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.2/24;
} then {
deny;
count esx1_coop;
}
}
entry esx2_coop{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.3/24;
} then {
deny;
count esx2_coop;
}
}
entry usv1_coop{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.5/24;
} then {
deny;
count usv1_coop;
}
}
entry usv2_coop{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.6/24;
} then {
deny;
count usv2_coop;
}
}
entry Collax_coop{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.10/24;
} then {
deny;
count Collax_coop;
}
}
entry PASCAL{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.40/24;
} then {
deny;
count PASCAL;
}
}
entry BAUER{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.41/24;
} then {
deny;
count BAUER;
}
}
entry OSBK{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.42/24;
} then {
deny;
count OSBK;
}
}
entry VMware{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.43/24;
} then {
deny;
count VMware;
}
}
entry SQL{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.44/24;
} then {
deny;
count SQL;
}
}
entry Oracle{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.45/24;
} then {
deny;
count Oracle;
}
}
entry permit {
if {
source-address 0.0.0.0/0;
} then {
permit;
count permit;
}
}

4 REPLIES 4

Mareen
New Contributor
Hi Oscar, now I can see it  thanks a lot

OscarK
Extreme Employee
Hello Mareen, all your destination addresses/masks are wrong. A /24 mask should end with a 0. like 10.254.250.0/24 which would match the whole subnet. If you want to deny to a host use /32 as mask.
So that rule should look like:
entry usv2_coop{
if {
source-address 192.168.221.0/24;
destination-address 10.254.250.6/32;
} then {
deny;
count usv2_coop;
}
}

Mareen
New Contributor
yes sorry, it´s not blocked, i tested it with a webserver on the destination wich shouldn´t work but it worked.

Why does the ACL don´t block the traffic?

I tested from 192.168.221.75 to 10.254.250.6 via port 80

this should be denied by the acl

OscarK
Extreme Employee
If the traffic was blocked you would not get connection refused. Connection refused means the destination received the packet but port is not open or blocked on that host. It does indicate the switch did not block your packet. Check the match statements if your packet really would be matched on a deny rule.

GTM-P2G8KFN