How do I configure an access list to allow only one IP through ingress port?

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
entry iprule1 {if {
source-address 10.1.2.246/32 ;
}
then {
 permit ;
}
else {
deny ;
}
}


I am getting error:

Error: ACL install operation failed - conflicting actions


And where is  "Extreme Networks Policy Manager" cant find it on extremenewtworks.com.
Photo of ashish sharma

ashish sharma

  • 276 Points 250 badge 2x thumb
  • frustrated

Posted 3 years ago

  • 0
  • 1
Photo of Alexandr P

Alexandr P, Embassador

  • 12,042 Points 10k badge 2x thumb
Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
 permit ;
}
if {
}
then {
deny ;
}
}

Thank you!
Photo of ashish sharma

ashish sharma

  • 276 Points 250 badge 2x thumb
I have applied the policy on ingress port.
Photo of Alexandr P

Alexandr P, Embassador

  • 12,042 Points 10k badge 2x thumb
What switch and what version of EXOS do you have?
Photo of ashish sharma

ashish sharma

  • 276 Points 250 badge 2x thumb
ExtremeXOS version 15.2.2.7
Summit X250e-24p
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,086 Points 10k badge 2x thumb
Hi Ashish,

Does the host have an ARP entry for the default gateway? I suspect that this ACL is blocking ARP, since there is no IP header in an ARP packet. You could either switch to matching on the MAC address of the host, or add another entry to the ACL to permit ARP.

-Brandon
Photo of Drew C.

Drew C., Community Manager

  • 37,364 Points 20k badge 2x thumb
Also, don't forget to permit the case where the destination IP is that of the host.
Photo of Patrick Voss

Patrick Voss, Employee

  • 11,484 Points 10k badge 2x thumb
Hi Ashish,

What AlexandrP said is corrrect except there should be another entry in there above the second if. Like so:

entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
 permit ;
}
}

entry iprule2 {
if {
}
then {
deny;
}
}

Just incase this helps here is a article written for ACL's

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS

You can place multiple entries in one policy but it will only trigger on one of them. This means that the order is important because it goes from top to bottom.
(Edited)
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi Ashish,

I agree with the discussion above. We need to add separate entries to permit or deny the rest of the traffic. The rule1 above only matches the source IP address. So, the ARP packets could be dropped. If this is the only IP address that you would like to allow, the following ACL could be considered. 

entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
 permit ;
}
}

entry iprule2 {
if {
arp-sender-address 10.1.2.246/32;
}
then {
permit;
}
}

entry iprule3 {
if {
}
then {
deny;
}
}

If you want to allow ARP packets in general, the rule2 could be modified as below:

entry iprule2 {
if {
ethernet-type 0x0806;
}
then {
permit;
}
}

Hope this helps!
Photo of ashish sharma

ashish sharma

  • 276 Points 250 badge 2x thumb

This solution works perfectly!!!!!         

Thankyou Mr.Prashant and everyone for your guidance :)