creating acl

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
Hello everyone,

I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.

edit policy acl_input

entry permit_telnet {     
        if match any {
         destination-address 192.168.3.29/32;
         source-address 192.168.3.10;
         protocol tcp;      
         destination-port 23;
        }    
        then { 
         permit;
        }
}

                        
entry permit_bgp {   
        if match any {                      
         destination-address 1.3.4.5/32;
         source-address 192.168.3.10;
         protocol tcp;              
         destination-port 179;
        } then {             
         permit;
        }         
}                    
entry permit_icmp {  
        if match any {
        protocol icmp;
        source-address 192.168.3.10;
        } then {                    
        permit; 
        }       
}               
entry block_all {
        if match all {
        source-address 192.168.3.10;
        } then {                   
        deny; }
}              
              

The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.

please, how can i created this acl?

tks
Photo of welisson

welisson

  • 1,056 Points 1k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek
Photo of welisson

welisson

  • 1,056 Points 1k badge 2x thumb
after i've read this guide and found "Prefix Range Examples" i configured my route-policy as below;

entry bgp_filter {
        if match any {
        as-path "15123";
        } then {
        permit;
        local-preference 800;
        }
}
entry bgp_filter-05 {
        if match any {
        as-path "1234";
        }
        then {
        permit;
        local-preference 450;
        }
}

entry bgp_filter-10 {
        if match any {
        nlri any/20 max 24;
        as-path "^56789$";
        }
        then {
        permit;
        local-preference 750;
        }
}


entry bgp_filter-100 {
        if match all {
        } then {
        deny;
        }
}


at entry bgp_filter-10 i wanna permit all ip address inside from /20 to /24 but when i runnig refresh in my policy, i can't see this filter being full applied, or be, i still see prefix from /20 to /32 and the local-preference being applied.

What is the better way to built this rule?
(Edited)
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Insert rule  "bgp_filter-10"  on the top of this policy.

--
Jarek
Photo of welisson

welisson

  • 1,056 Points 1k badge 2x thumb
Hi @Jarek,

I have done it, however when i applied this rule it mark all prefix from /20 to /32 as local-preference 750, in case i belive that i should create a rule blocking  /25 like "nlri any/25;" comming into ASN 56789 and so, apply another policy setting up local-preference, because i'm looking that Prefix Range doesn't work as should.

So, i applied the rule like below to work as i wish.

entry bgp_filter-0 {
        if match any {
        nlri any/25 ;
        as-path "^56789$";
        }
        then {
   deny;
        }
}

entry bgp_filter-3 {
        if match any {
        as-path "^56789$";
        }
        then {
    local-preference 750;
        }
}

and the next rule are the same.

Is prefix range working as hope? It is my doubts.
(Edited)
Photo of Jarek

Jarek

  • 2,398 Points 2k badge 2x thumb
Wellison, I forgot to add one thing about the entry.

entry bgp_filter-10 {
        if match any {                     
        nlri any/20 max 24;
        as-path "^56789$";
        }
        then {
        permit;
        local-preference 750;
        }
}


"if match any" means - if any of those two is true, match occours
In this case all prefixes /XX will be true for  as-path "^56789$" + prefixes  /20 to /24

If you change this to "if match all" (which is default), then all match conditions must be true
 and you will have prefixes /20 - /24 in AS 56789

--
Jarek
(Edited)
Photo of welisson

welisson

  • 1,056 Points 1k badge 2x thumb
Hello Jarek.

It's exactly i wish. I need match all.

somehow what i concluded is this table "Prefix Range Example" doesn't work as expected.

If anyone at Extreme wishs to do more test i'm avaliable to go ahed with it.