Block all but TCP by ACL on Extreme switch Summit300-48

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)

I'm trying to understand access list’s mechanism on Extreme switch Summit300-48. Want to deny anything but TCP on specific port. So settings such commands:

create access-mask port_mask ports precedence 25000<br>create access-list denyall port_mask ports 1:43 deny
create access-mask ipproto_mask ip-protocol ports precedence 15000
create access-list allowTCP ipproto_mask ip-protocol TCP ports 1:43 permit

And It doesn’t work. It looks like all incoming traffic on port 1:43 is blocked. ACL generally work on this switch. For example I could block all TCP and open only for specific IP. What am I doing wrong? Help me please.

Photo of Andrzej Kenig

Andrzej Kenig

  • 122 Points 100 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Frank

Frank

  • 3,806 Points 3k badge 2x thumb
I really don't know exactly how those access-lists/masks work, but shouldn't you also allow ARP on that port?
I've accidentally blocked ARP before, and the results weren't pretty ;)
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
Hello Andrzej, I agreed with Frank. When using a "denyall" rule you might be blocking ARP packets also.

I would suggest you to add the following rule and test again:

create access-mask allowarpmask ethertype ports precedence 1000
create access-list allowarp access-mask allowarpmask ethertype 0x0806 ports 1:43 permit
Photo of Andrzej Kenig

Andrzej Kenig

  • 122 Points 100 badge 2x thumb
It works! Exactly after adding your’s rules, Henrique, it works like it should to.

In fact without arp allowed, it was working for the few seconds until host forget it’s local arp table. Now it works with no problems.

Thank You very much!

Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
Hi Andrzej, glad to hear that worked!

Thanks for the feedback.