ACL Basic

  • 0
  • 1
  • Question
  • Updated 5 years ago
  • Answered
Create Date: May 3 2013 2:16PM

HiI'm not quite getting ACL's so far. I have a few vlans all with ipforwarding enabled and ips for the vlans.vlan 1 10.10.1.0/24vlan 2 10.10.2.0/24

I was hoping the following would allow ping from vlan 1 to vlan 2 but block all else, but it doesn't seem to work, do i need to also allow the return traffic or am i incorrect..so if i create this policy (below) and configure via :

configure access-list thepolicy vlan "Vlan 2"

Code:

@description "Allow ICMP ping"
entry ping_allow_echo_request
{
  if {
    protocol icmp;
    icmp-type echo-request;
    source-address 10.10.1.0/24;
  } then {
    permit;
  }
}
@description "Default block all"

entry deny_default_all {
  if {
  }
  then {
    deny;
  }
}
(from conrad_jones)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: May 3 2013 7:18PM

You have to allow the return as well. ACLs in XOS aren't stateful. If you allow the echo requests back, you should get the result you want.

(from Ansley_Barnes)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: May 5 2013 6:22PM

got it working, added echo-reply to the same network but as destination network  

thank you


Code:

@description "Allow ICMP ping"
entry ping_allow_echo_request 
{
  if {
    protocol icmp;
    icmp-type echo-request; 
    source-address 10.10.1.0/24;
  } then { 
    permit;
  }
}
entry ping_allow_echo_reply 
{
  if {
    protocol icmp;
    icmp-type echo-reply; 
    destination-address 10.10.1.0/24;
  } then { 
    permit;
  }
}

@description "Default block all"

entry deny_default_all {
  if {
  } 
  then {
    deny;
  }
}


(from conrad_jones)

This conversation is no longer open for comments or replies.