EXOS ACL, Explict, Match, Dynamic, Policy

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered

Have some specific questions about EXOS ACL's I am hoping someone can help with:

  1. Dynamic and Policy ACL's - do these have a Explicit Deny or Permit at the end of each. I know I can create either / or but not sure what the default process is and if its the same for each type?
  2. If I create a Policy ACL with just an 'if' statement and NO match condition, i.e. 'match all', would it still match all elements in the statement like Source Address, Protocol and Port Number?
  3. Whats the main difference and reasons for creating ACL's as a policy than Dynamic and visa versa, here's some that I can think of:
  • Policy ACL you can edit the rule, i.e. if you wanted to add a count to a rule as opposed to a Dynamic ACL you would have to remove the ACL and re-add it amended.
  • Dynamic ACL's help if you are used to writing them directly in the command line.
  • Dynamic ACL's you can re-use rules per individual rule.
  • Policy ACL's you can apply many rules at once with a single command.
Thanks in advance.



Photo of Martin Flammia

Martin Flammia

  • 5,744 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,562 Points 10k badge 2x thumb
Hi,

In case you didn't notice, we also have a dedicated ACL guide, in addition to our User Guide.

1. ACL have an implicit default permit all, while Routing Policy have an implicit default deny all.
2. If you are referring to the fact to have 'match all' or 'match any' for a policy, if none specified, it defaults to 'match all'.

Rdgs
Photo of Martin Flammia

Martin Flammia

  • 5,744 Points 5k badge 2x thumb

Hi Stephane,

Thanks for replying.

Have read the ACL guide, but think because of the slight contradiction the confusion has come about. So just to confirm your answer are you saying with the examples 1 & 2 below there is a default permit all and example 3 there is a default deny all:

Example 1

test_policy1.pol

entry test_policy1 {
 if {
  source-address 25.25.25.1/32;
  destination-address 10.10.10.24/32;
  }then {
   deny;
  }
 }

configure access-list test_policy1 first port 1:1 ingress

Example 2

create access-list test_dynamic "source-address 25.25.25.1/32;destination-address 10.10.10.24/32;" "deny;"

configure access-list add test_dynamic first port 1:1 ingress


Example 3

entry test_PBR {
 If {
  nlri 22.16.0.0/14;
  } then {
   permit;
  }
 }

configure access-list test_PBR first port 1:1 ingress

----------------------

Also, one other thing just to clarify is that all these ACL's act on traffic by exiting on match, unlike policy in Enterasys where they keep going down the list?

Many thanks.

(Edited)
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hey Martin

You are correct in your statements This is the section from the user guide.
"The following is an example of a policy entry:"
"entry ip_entry {"
"if match any {"
"nlri  10.203.134.0/24;"
"nlri  10.204.134.0/24;"
"} then {"
"next-hop  192.168.174.92;"
"origin  egp;"
"}"
"}"
"Policy entries are evaluated in order, from the beginning of the file to the end, as follows:"
"•  If a match occurs, the action in the then statement is taken:"
"•   if the action contains an explicit permit or deny, the evaluation process  terminates."
"•   if the action does not contain an explicit permit or deny, the action is an implicit permit, and the evaluation process  terminates."
"•  If a match does not occur, the next policy entry is evaluated."
"•  If no match has occurred  after evaluating all policy entries, the default action is deny."

In your third example to apply the route-policy you need to use the configure bgp import-policy command as shown below


Applying route-policies

"To apply a routing policy, use the command appropriate to the client. Different protocols  support"
"different ways to apply policies, but there are some generalities."
"Commands  that use the keyword import-policy are used to change the attributes of routes installed"
"into the switch routing table by the protocol. These commands cannot be used to determine the routes"
"to be added to the routing table. The following are examples  for the BGP and RIP protocols:"
"configure bgp import-policy [policy-name | none]"
"configure rip import-policy [policy-name | none]"
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,562 Points 10k badge 2x thumb
I answered too fast and too lightly, I assumed something in your question

Policies:

- There can be zero or one match type. If no match type is specified, the match type is all, so all match conditions must be satisfied
- There can be zero or more match conditions. If no match is specified, then every routing entity matches.
- There can be zero or more actions. If no action is specified, the packet is permitted by default.

Default action
Keep in mind the behavior of ExtremeXOS. If you don’t apply a routing policy, the default action is permit. In the same manner, if no action in a policy rule that matches is defined, the default action is also permit. However in a routing policy, the default action for anything that doesn’t match any entries is deny.

Policy entries are evaluated in order, from the beginning of the file to the end, as follows:
- If a match occurs, the action in the then statement is taken.
    o If the action contains an explicit permit or deny, the evaluation process terminates.
    o If the action doesn’t contain an explicit permit or deny, the action is an implicit permit, and the evaluation process terminates.
- If a match doesn’t occur, the next policy entry is evaluated.
- If no match has occurred after evaluating all policy entries, the default action is deny.
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,562 Points 10k badge 2x thumb
Also, don't confuse ACL with Policies (Routing Policies). They share the same syntax pre-processor, but behave slightly differently, while Routing Policies do have a "match any" that is not available to ACL.
Photo of Martin Flammia

Martin Flammia

  • 5,744 Points 5k badge 2x thumb

Many thanks for taking the time reply, now all understood.


Photo of Bill Stritzinger

Bill Stritzinger, Alum

  • 6,016 Points 5k badge 2x thumb
Here is a link to the guide for anyone else following the thread:  http://extrcdn.extremenetworks.com/wp-content/uploads/2014/10/ACL_Solutions_Guide.pdf