convert cisco acl in to extreme summit X440

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
access-list 10 permit 172.16.66.246
access-list 10 permit 172.16.66.241
access-list 10 permit 172.16.72.110
access-list 10 permit 172.16.72.84
access-list 10 permit 172.168.202.100
access-list 10 permit 172.16.72.17


this is cisco code and i want this code in extreme X440...plz guide me and give me a code in detail.
Photo of zain mallick

zain mallick

  • 318 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Kawawa

Kawawa, GTAC

  • 3,272 Points 3k badge 2x thumb
Extreme ACLs take on the following form
entry <entry-name> { if {condition ; } then {action ; }}
for example
entry ACL-1 { if source-address 172.16.66.246 ; } then { permit ; } }
The following article contains more details including additional match conditions: How to create and apply an ACL in EXOS
Photo of Martin Flammia

Martin Flammia

  • 6,006 Points 5k badge 2x thumb
Never tried it, or know how useful it would be in this situation but there is a  module you can install that allows you to put Cisco like commands into EXOS:

https://gtacknowledge.extremenetworks.com/articles/How_To/Cisco-commands-configuration-in-Extreme-device
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
  if {
    source-address 172.16.66.246/255.255.255.255;
  } then {
    permit;
  }
}
entry 20 {
  if {
    source-address 172.16.66.241/255.255.255.255;
  } then {
    permit;
  }
}
entry 30 {
  if {
    source-address 172.16.72.110/255.255.255.255;
  } then {
    permit;
  }
}
entry 40 {
  if {
    source-address 172.16.72.84/255.255.255.255;
  } then {
    permit;
  }
}
entry 50 {
  if {
    source-address 172.168.202.100/255.255.255.255;
  } then {
    permit;
  }
}
entry 60 {
  if {
    source-address 172.16.72.17/255.255.255.255;
  } then {
    permit;
  }
}
# next entry added to match EOS ACL implicit deny
entry 70 {
  if {
    source-address 0.0.0.0/0;
  } then {
    deny;
  }
}

Best regards,
Erik
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi Matthew,

where can I find that ACL converter version? The code at GitHub does not support creation of dynamic EXOS ACLs.

Thanks,
Erik
Photo of Siva

Siva

  • 710 Points 500 badge 2x thumb
Hi Matthew

I know this is old post , I come across to it and doing the similar 
configure converting IOS access list to EXOS ACL...
and i have been stack for many days now.
Can u please help me if i want to convert below configure access using dynamic how can I do it find access list below

interface Vlan221description DEV-01
ip address 10.8.221.1 255.255.255.0
ip access-group DEV-01-ACL in
ip access-group DEV-01-ACL out
no ip redirects
no ip proxy-arp
ip wccp web-cache redirect in
ip flow ingress
ip route-cache policy
logging event link-status
load-interval 30
snmp ifindex persist
arp timeout 20
hold-queue 100 out
!

!ip access-list extended DEV-01-ACL
 permit ip 10.8.2.0 0.0.0.255 10.8.220.0 0.0.0.255
 permit ip 10.8.221.0 0.0.0.255 10.8.2.0 0.0.0.255
 permit ip 10.8.221.0 0.0.0.255 10.8.5.0 0.0.0.255
 permit ip 10.8.221.0 0.0.0.255 10.8.7.0 0.0.0.255
 deny   ip 10.8.221.0 0.0.0.255 10.8.0.0 0.0.15.255
 permit ip any any log
(Edited)
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
Hi,

using the IOStoEXOSACL converter script I get:
create access-list DEV-01-ACL_1 "source-address 10.8.2.0 mask 255.255.255.0; destination-address 10.8.220.0 mask 255.255.255.0;" "permit;"create access-list DEV-01-ACL_2 "source-address 10.8.221.0 mask 255.255.255.0; destination-address 10.8.2.0 mask 255.255.255.0;" "permit;"
create access-list DEV-01-ACL_3 "source-address 10.8.221.0 mask 255.255.255.0; destination-address 10.8.5.0 mask 255.255.255.0;" "permit;"
create access-list DEV-01-ACL_4 "source-address 10.8.221.0 mask 255.255.255.0; destination-address 10.8.7.0 mask 255.255.255.0;" "permit;"
create access-list DEV-01-ACL_5 "source-address 10.8.221.0 mask 255.255.255.0; destination-address 10.8.0.0 mask 255.255.240.0;" "deny;"
create access-list DEV-01-ACL_6 " " "permit; log;"
You would then need to configure all 6 dynamic ACLs to apply to the ports / vlan.

HTH,
Erik
Photo of Siva

Siva

  • 710 Points 500 badge 2x thumb
Thanks Erik
Do I need to download IOStoEXOSACL converter script  ?
Photo of Erik Auerswald

Erik Auerswald, Embassador

  • 12,960 Points 10k badge 2x thumb
The converter script is a tool you can use on any computer with Perl to convert an IOS ACL to an EXOS ACL. It is not installed or used on the switch.

Information about converting an ACL from IOS to EXOS can be found in this thread and in GTAC Knowledge: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Convert-a-Cisco-IOS-Access-List-for...
Photo of Ryan Mathews

Ryan Mathews, Alum

  • 8,988 Points 5k badge 2x thumb
Incredible thread guys.  Lots of great stuff going on here.  Well done!
Photo of zain mallick

zain mallick

  • 318 Points 250 badge 2x thumb
i m little bit confused,that which code i followed...
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
Let me know how I can help.
Photo of zain mallick

zain mallick

  • 318 Points 250 badge 2x thumb
thanx sir for ur kindness..


access-list 10 permit 172.16.66.246
access-list 10 permit 172.16.66.241
access-list 10 permit 172.16.72.110
access-list 10 permit 172.16.72.84
access-list 10 permit 172.168.202.100
access-list 10 permit 172.16.72.17


sir this is cisco code,and i want this code in XOS.... 
Photo of Matthew Helm

Matthew Helm, Employee

  • 1,852 Points 1k badge 2x thumb
So, I've lost track of this thread, and I don't remember where the my latest perl IOS to EXOS ACL converter is on the Extreme GTAC sites, but here is a dropbox link:

https://www.dropbox.com/s/ax91033mv7owobl/aclconverter_0_19.pl?dl=0

I put the ACL lines in a txt file (ACLlist.txt) and converted it to a dynamic ACL using the -d flag.

$ perl aclconverter_0_19.pl ACLlist.txt -d

create access-list acl_10_1 "source-address 172.16.66.246/32;" "permit;"

create access-list acl_10_2 "source-address 172.16.66.241/32;" "permit;"

create access-list acl_10_3 "source-address 172.16.72.110/32;" "permit;"

create access-list acl_10_4 "source-address 172.16.72.84/32;" "permit;"

create access-list acl_10_5 "source-address 172.168.202.100/32;" "permit;"

create access-list acl_10_6 "source-address 172.16.72.17/32;" "permit;"

You can > that output to a file or just copy it from the term into the CLI of the EXOS switch.

Each line must be applied to a port or VLAN or any as ingress individually.

Hope this helps.

--Matt



Photo of Martin Flammia

Martin Flammia

  • 6,006 Points 5k badge 2x thumb
If its any help I have created a post on how to create EXOS ACL's. Its not definitive and still needs a little more work but might help?

http://www.extremenetworks.guru/exos-acls/