Header Only - DO NOT REMOVE - Extreme Networks
Question

ACL, how to invert match condition


Userlevel 4
Create Date: Jun 19 2012 4:48AM

Is it possible to invert a match condition with an ACL?
E.g. I want to deny packets which are not coming from a specific IP address:
code:
  entry denyExample {
if {
source-address NOT 1.2.3.4/32 ;
more match conditions ;
} then {
deny ;
}
}
Is this missing in the XOS software, or is this a deficit with the hardware?

(from Hans-Werner_Paulsen )

2 replies

Userlevel 4
Create Date: Jun 19 2012 5:13AM

I wouldn't claim to be an expert but wouldn't you just reverse the logic and permit traffic from the addresses?

As far as I am aware, while the default action for an *entry* is to permit, the default action for an ACL is to deny that which hasn't been matched. (from David_Rickard)
Userlevel 4
Create Date: Jun 19 2012 5:46AM

If there is only ONE match condition, and ONE rule in the policy file, then one can simply reverse the logic. If you have more conditions this will not work.

(from Hans-Werner_Paulsen)

Reply