Basic Policy Based ACL

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)

Hi there,
Can anyone explain to my why this basic ACL policy does not work?
This is using XOS 22.2.15 on an X450-G2.


I want to emulate Cisco behaviour of permitting what I want with an deny at the bottom.

# Permit
entry 1.1 { if { source-address 192.168.132.0/26; destination-address 192.168.249.202/32;} then { permit; count Permit;}}

# Deny Everything Else
entry 2.1 { if {} then { deny; count Deny;}}

The access list is applied to a VLAN as follows:

configure access-list Test vlan "Data" ingress

It seems to drop all packets, I thought policies were supposed to process top down with packets until they get a match?

Thanks,
Mark


Photo of Mark Lamond

Mark Lamond

  • 456 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,518 Points 2k badge 2x thumb
if match any
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi,

the last ACL, will block  all traffic including ARP, etc. on vlan ingress.
You should for example add before the last entry:

entry ARP { if match all {    ethernet-type 0x0806 ;
} then {
    permit  ;
} }

and  so on...


--
Jarek
(Edited)
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Hi,

if you want to emulate an IPv4 router ACL, you should use a deny statement that denies IPv4 packets only:

entry 2.1 { if {source-address 0.0.0.0/0;} then { deny; count Deny;}}

Otherwise you will have problems with e.g. ARP as mentioned by Jarek.

Thanks,
Erik
Photo of Mark Lamond

Mark Lamond

  • 456 Points 250 badge 2x thumb

Thanks for the replies folks, now working as expected and making a lot more sense.

We use a lot of ACL's and are moving from Enterasys/Cisco to Extreme so a lot to learn.

Thanks,
Mark



Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Hi Mark,

if you need to convert Cisco(-like) ACLs to EXOS you can try the IOS to EXOS ACL Convert Perl script. Simple IPv4 ACLs can be converted with E2X as well.

Thanks,
Erik
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Hi Nick,

first a disclaimer: I did not test that my routing policies above really work...

My understanding is that "nlri any/X" without "exact" matches on any network with a prefix length of X or longer. Thus you can compose the policy to first deny the too-long prefixes, then allow the accepted prefix length range, and then deny anything not yet matched.

Example:
entry all_ipv6_05 {
  if {
    nlri any/49
  } then {
    deny
  }
}
entry all_ipv6_10 {
  if {
    nlri any/20
  } then {
    permit
  }
}
entry ipv6_out_15 {
  if {
    nlri any/0
  } then {
    permit
  }
}
That method should work for IPv4 as well.

Thanks,
Erik
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,488 Points 2k badge 2x thumb
That is a very good idea, but it does not work as expected
Line 3 : Failed argument value 49 is invalid
First of all, first argument should be 
nlri any-ipv6/49
Secondly, I tried to filter-out a /48 announces from uplink, so I modified first argument to a /47
Did a policy-refresh
Tried to disable and then re-enable the bgp-session, but still I can see /48 announcements from an uplink.
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Thanks for testing. Sorry that it did not work. :-(
Photo of Nick Yakimenko

Nick Yakimenko

  • 2,488 Points 2k badge 2x thumb
thank you very much for the solution!
That was my typo:
I applied the policy like this
configure bgp neighbor 2001:db8::1 route-policy in allv6-in
and (again!) forgot about address-family ipv6-unicast
now it works as expected
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 13,792 Points 10k badge 2x thumb
Great that it works!

Thanks,
Erik