cancel
Showing results for 
Search instead for 
Did you mean: 

creating acl

creating acl

welisson
New Contributor III
Hello everyone,

I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.

edit policy acl_input

entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}


entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}


The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.

please, how can i created this acl?

tks

13 REPLIES 13

Jarek
New Contributor II
Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

welisson
New Contributor III
Hello Jarek.

It's exactly i wish. I need match all.

somehow what i concluded is this table "Prefix Range Example" doesn't work as expected.

If anyone at Extreme wishs to do more test i'm avaliable to go ahed with it.

Jarek
New Contributor II
Wellison, I forgot to add one thing about the entry.

entry bgp_filter-10 {
if match any {
nlri any/20 max 24;
as-path "^56789$";
}
then {
permit;
local-preference 750;
}
}

"if match any" means - if any of those two is true, match occours
In this case all prefixes /XX will be true for as-path "^56789$" + prefixes /20 to /24

If you change this to "if match all" (which is default), then all match conditions must be true
and you will have prefixes /20 - /24 in AS 56789

--
Jarek

welisson
New Contributor III
Hi@Jarek,

I have done it, however when i applied this rule it mark all prefix from /20 to /32 as local-preference 750, in case i belive that i should create a rule blocking /25 like "nlri any/25;" comming into ASN 56789 and so, apply another policy setting up local-preference, because i'm looking that Prefix Range doesn't work as should.

So, i applied the rule like below to work as i wish.

entry bgp_filter-0 {
if match any {
nlri any/25 ;
as-path "^56789$";
}
then {
deny;
}
}

entry bgp_filter-3 {
if match any {
as-path "^56789$";
}
then {
local-preference 750;
}
}

and the next rule are the same.

Is prefix range working as hope? It is my doubts.
GTM-P2G8KFN