ACL, how to invert match condition

  • 0
  • 1
  • Question
  • Updated 5 years ago
Create Date: Jun 19 2012 4:48AM

Is it possible to invert a match condition with an ACL?
E.g. I want to deny packets which are not coming from a specific IP address:
entry denyExample {<br />
if {<br />
source-address NOT 1.2.3.4/32 ;<br />
more match conditions ;<br />
} then {<br />
deny ;<br />
}<br />
}<br />
Is this missing in the XOS software, or is this a deficit with the hardware?

(from Hans-Werner_Paulsen )
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 5 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jun 19 2012 5:13AM

I wouldn't claim to be an expert but wouldn't you just reverse the logic and permit traffic from the addresses?

As far as I am aware, while the default action for an *entry* is to permit, the default action for an ACL is to deny that which hasn't been matched.

(from David_Rickard)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jun 19 2012 5:46AM

If there is only ONE match condition, and ONE rule in the policy file, then one can simply reverse the logic. If you have more conditions this will not work.

(from Hans-Werner_Paulsen)

This conversation is no longer open for comments or replies.