Header Only - DO NOT REMOVE - Extreme Networks

convert cisco acl in to extreme summit X440


access-list 10 permit 172.16.66.246
access-list 10 permit 172.16.66.241
access-list 10 permit 172.16.72.110
access-list 10 permit 172.16.72.84
access-list 10 permit 172.168.202.100
access-list 10 permit 172.16.72.17

this is cisco code and i want this code in extreme X440...plz guide me and give me a code in detail.

19 replies

Userlevel 5
Extreme ACLs take on the following form
entry { if {condition ; } then {action ; }}[/code]for example
entry ACL-1 { if source-address 172.16.66.246 ; } then { permit ; } }[/code]The following article contains more details including additional match conditions: How to create and apply an ACL in EXOS
Userlevel 5
Never tried it, or know how useful it would be in this situation but there is a module you can install that allows you to put Cisco like commands into EXOS:

https://gtacknowledge.extremenetworks.com/articles/How_To/Cisco-commands-configuration-in-Extreme-device
Userlevel 7
Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik
Userlevel 6
Erik Auerswald wrote:

Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik

Hi, just an observation:

For ingress ACL deny all rule you can skip (source-address 0.0.0.0/0).

That's mandatory only when using deny_all ACL for egress.

That means:

Deny All Ingress Rule:

entry deny_all_ingress {
if {
} then {
deny;
}
}

Deny All Egress Rule:

entry deny_all_egress {
if {
source-address 0.0.0.0/0
} then {
deny;
}
}
Userlevel 7
Erik Auerswald wrote:

Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik

Hello Henrique,

you need to be careful with the empty match statement!

The empty match statement matches any layer two frame (if the ACL is applied inbound). The IOS IPv4 ACL matches IPv4 packets only. At least this means different behaviour between IOS and EXOS. At worst it can break EAPS, ERPS, STP, LACP, ... and thus the network.

Erik
Userlevel 6
Erik Auerswald wrote:

Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik

Hi Erik, good point. Thanks for that.

I forgot to mention that it's necessary to permit some traffic etypes before the deny all rule to allow protocols like ARP/DNS/DHCP. Also other L2 protocol frames that you mentioned.

Thanks again. 🙂
Userlevel 4
Erik Auerswald wrote:

Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik

If it helps, you might also consider using "dynamic ACLs" instead of policy file based ACLs. The latest converter does both (using the -d flag):

$ perl aclconverter_0_19.pl simple.acl -d create access-list acl_10_1 "source-address 172.16.66.246/32;" "permit;"

create access-list acl_10_2 "source-address 172.16.66.241/32;" "permit;"

create access-list acl_10_3 "source-address 172.16.72.110/32;" "permit;"

create access-list acl_10_4 "source-address 172.16.72.84/32;" "permit;"

create access-list acl_10_5 "source-address 172.168.202.100/32;" "permit;"

create access-list acl_10_6 "source-address 172.16.72.17/32;" "permit;"

And as mentioned above you would have to add either an egress deny all statement, or an ingress deny all statement:

create access-list indenyall " " "deny"

create access-list outdenyall "source-address 0.0.0.0/32" "deny"

Dynamic ACLs are closer to IOS ACLs in that they are in the config and need to be applied to a port, VLAN, etc. For example using the ACL lines above:

configure access-list add acl_10_1 last ports 1 ingress

configure access-list add acl_10_2 last ports 1 ingress

configure access-list add acl_10_3 last ports 1 ingress

configure access-list add acl_10_4 last ports 1 ingress

configure access-list add acl_10_5 last ports 1 ingress

configure access-list add acl_10_6 last ports 1 ingress

configure access-list add indenyall last port 1 ingress
Userlevel 7
Erik Auerswald wrote:

Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik

Hi Matthew,

where can I find that ACL converter version? The code at GitHub does not support creation of dynamic EXOS ACLs.

Thanks,
Erik
Userlevel 1
Erik Auerswald wrote:

Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik

Hi Matthew

I know this is old post , I come across to it and doing the similar
configure converting IOS access list to EXOS ACL...
and i have been stack for many days now.
Can u please help me if i want to convert below configure access using dynamic how can I do it find access list below

interface Vlan221description DEV-01
ip address 10.8.221.1 255.255.255.0
ip access-group DEV-01-ACL in
ip access-group DEV-01-ACL out
no ip redirects
no ip proxy-arp
ip wccp web-cache redirect in
ip flow ingress
ip route-cache policy
logging event link-status
load-interval 30
snmp ifindex persist
arp timeout 20
hold-queue 100 out
!

!ip access-list extended DEV-01-ACL
permit ip 10.8.2.0 0.0.0.255 10.8.220.0 0.0.0.255
permit ip 10.8.221.0 0.0.0.255 10.8.2.0 0.0.0.255
permit ip 10.8.221.0 0.0.0.255 10.8.5.0 0.0.0.255
permit ip 10.8.221.0 0.0.0.255 10.8.7.0 0.0.0.255
deny ip 10.8.221.0 0.0.0.255 10.8.0.0 0.0.15.255
permit ip any any log
Userlevel 7
Erik Auerswald wrote:

Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik

Hi,

using the IOStoEXOSACL converter script I get:
create access-list DEV-01-ACL_1 "source-address 10.8.2.0 mask 255.255.255.0; destination-address 10.8.220.0 mask 255.255.255.0;" "permit;"create access-list DEV-01-ACL_2 "source-address 10.8.221.0 mask 255.255.255.0; destination-address 10.8.2.0 mask 255.255.255.0;" "permit;"
create access-list DEV-01-ACL_3 "source-address 10.8.221.0 mask 255.255.255.0; destination-address 10.8.5.0 mask 255.255.255.0;" "permit;"
create access-list DEV-01-ACL_4 "source-address 10.8.221.0 mask 255.255.255.0; destination-address 10.8.7.0 mask 255.255.255.0;" "permit;"
create access-list DEV-01-ACL_5 "source-address 10.8.221.0 mask 255.255.255.0; destination-address 10.8.0.0 mask 255.255.240.0;" "deny;"
create access-list DEV-01-ACL_6 " " "permit; log;"[/code]You would then need to configure all 6 dynamic ACLs to apply to the ports / vlan.

HTH,
Erik
Userlevel 1
Erik Auerswald wrote:

Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik

Thanks Erik
Do I need to download IOStoEXOSACL converter script ?
Userlevel 7
Erik Auerswald wrote:

Hello Zain,

simple IOS-like ACLs can be converted to EXOS using E2X (https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-convert-EOS-configurations-to-EXOS-...). More complex IOS ACLs can be converted to EXOS using IOStoEXOSACL (https://github.com/extremenetworks/ExtremeScripting/blob/master/EXOS/Perl/IOStoEXOSACL).

I used E2X to convert your ACL to the following policy file:

# acl_10.pol
entry 10 {
if {
source-address 172.16.66.246/255.255.255.255;
} then {
permit;
}
}
entry 20 {
if {
source-address 172.16.66.241/255.255.255.255;
} then {
permit;
}
}
entry 30 {
if {
source-address 172.16.72.110/255.255.255.255;
} then {
permit;
}
}
entry 40 {
if {
source-address 172.16.72.84/255.255.255.255;
} then {
permit;
}
}
entry 50 {
if {
source-address 172.168.202.100/255.255.255.255;
} then {
permit;
}
}
entry 60 {
if {
source-address 172.16.72.17/255.255.255.255;
} then {
permit;
}
}
# next entry added to match EOS ACL implicit deny
entry 70 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

Best regards,
Erik

The converter script is a tool you can use on any computer with Perl to convert an IOS ACL to an EXOS ACL. It is not installed or used on the switch.

Information about converting an ACL from IOS to EXOS can be found in this thread and in GTAC Knowledge: https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-Convert-a-Cisco-IOS-Access-List-for...
Userlevel 6
Incredible thread guys. Lots of great stuff going on here. Well done!
i m little bit confused,that which code i followed...
Userlevel 4
Let me know how I can help.
Matthew Helm wrote:

Let me know how I can help.

thanx sir for ur kindness..

access-list 10 permit 172.16.66.246
access-list 10 permit 172.16.66.241
access-list 10 permit 172.16.72.110
access-list 10 permit 172.16.72.84
access-list 10 permit 172.168.202.100
access-list 10 permit 172.16.72.17

sir this is cisco code,and i want this code in XOS....
Userlevel 4
Matthew Helm wrote:

Let me know how I can help.

So, I've lost track of this thread, and I don't remember where the my latest perl IOS to EXOS ACL converter is on the Extreme GTAC sites, but here is a dropbox link:

https://www.dropbox.com/s/ax91033mv7owobl/aclconverter_0_19.pl?dl=0

I put the ACL lines in a txt file (ACLlist.txt) and converted it to a dynamic ACL using the -d flag.

$ perl aclconverter_0_19.pl ACLlist.txt -d create access-list acl_10_1 "source-address 172.16.66.246/32;" "permit;"

create access-list acl_10_2 "source-address 172.16.66.241/32;" "permit;"

create access-list acl_10_3 "source-address 172.16.72.110/32;" "permit;"

create access-list acl_10_4 "source-address 172.16.72.84/32;" "permit;"

create access-list acl_10_5 "source-address 172.168.202.100/32;" "permit;"

create access-list acl_10_6 "source-address 172.16.72.17/32;" "permit;"

You can > that output to a file or just copy it from the term into the CLI of the EXOS switch.

Each line must be applied to a port or VLAN or any as ingress individually.

Hope this helps.

--Matt
Userlevel 4
Matthew Helm wrote:

Let me know how I can help.

Erik above put the non-dropbox / github link: https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/Perl/IOStoEXOSACL
Userlevel 5
If its any help I have created a post on how to create EXOS ACL's. Its not definitive and still needs a little more work but might help?

http://www.extremenetworks.guru/exos-acls/

Reply