Header Only - DO NOT REMOVE - Extreme Networks

Create ACL

Userlevel 4
Create Date: Mar 11 2013 7:43PM

How do I create an ACL to limit access on a port to a predefined list of ip's?

Thanks (from Vince_MacNeil)

7 replies

Userlevel 4
Create Date: Mar 11 2013 9:17PM

This is pretty easy - I recommend downloading the XOS concepts guide and command reference for the version you're using as a reference for how these work, but an ACL for this purpose would look something like this:

entry restrict-to-these-IPs {
if {
destination-address x.x.x.x/q;
destination-address y.y.y.y/z;
} then {

entry default-deny {
if {
} then {

Save on your switch and apply to a port/VLAN combo.

There's a free program called Extreme Networks Policy Manager that works very well for constructing these, I believe it's still available on the Extreme site. (from Ansley_Barnes)
Userlevel 4
Create Date: Mar 11 2013 11:34PM

Ansley is right about looking in the concepts guide always a great place to look.

a few things to note is that everything in the "if" section of the acl is an "and" and not an "or". Meaning if you put a number of items like IP and protocol port both have to match or it will not hit the ACL.

i would also add a counter statement in the "then" part so you make sure if counters are being hit. You can create the ACLs in notepad and transfer them to the switch using the TFTP command. Then do a check policy on it to make sure everything is set correctly.

you can apply the ACL to either a port or VLAN. If you apply it to the port you can only have one policy per port. If you do it per VLAN you can have more than one on a port if a port is in more than one VLAN.

hope that helps.
p (from Paul_Russo)
Userlevel 4
Create Date: Mar 12 2013 1:04PM

What about Dynamic ACL's? Are they simplier to setup? I just want to restrict the port to access a couple of IP addresses. I already have the concepts guide but do you know where I could find more detailed examples of using these. I have setup ACL's on Cisco and HP and the extreme method seems a whole lot more complicated.

Thanks (from Vince_MacNeil)
Userlevel 4
Create Date: Mar 12 2013 1:37PM

If you have more than one IP to allow the standard policy ACLs are probably cleaner and easier to maintain. They're not difficult to set up. I use the command line editor via SSH to do my policy file editing (it's a built-in version of vi.)

1. edit policy ip-restriction
2. hit "i" to enter interactive mode, then paste the rule
3. hit esc, then type ZZ to save and quit the editor (like I said, it's vi, so editor commands are the same)
3a. [Optional, but recommended] check policy ip-restriction
4. configure access-list ip-restriction ports 1:5

Done. You can type "ls" into the main CLI to see all the policy files you have saved on the switch (it's a stripped-down, busybox-type linux shell.) You can also transfer files to the switch via TFTP or SFTP if you're more comfortable with that. I'm sure Ridgeline has something similar as well, and it's free for up to 10 switches, I just don't currently use it. Extreme Networks Policy Manager has a great wizard interface for constructing, editing, and exploring policy files, and can save them to a switch via TFTP when they're done. It's pretty simple, just a different workflow from Cisco/Juniper.

I'm not aware of a place to find many examples of these ACLs, but they're fairly straightforward. If you need a quick reference on what attributes you can match in a policy file, you can, from the CLI, type:

check policy attribute

then hit Tab for a complete list. Type in any of the attributes to get a description. (from Ansley_Barnes)
Userlevel 4
Create Date: Mar 12 2013 1:46PM

Have you heard of XOS Screen Play? I found some info on Extremes site. It is a gui based config tool. I'm not sure if its free. Is the policy wizrd a free tool?

Thanks (from Vince_MacNeil)
Userlevel 4
Create Date: Mar 12 2013 1:51PM

Policy Manager (wizard tool) is free. Not sure about Screenplay, never worked with that. (from Ansley_Barnes)
Userlevel 4
Create Date: Mar 12 2013 10:21PM

screenplay is free. all you need to do is run the command "enable web http" in the switch and then in your internet browser type the IP address of the switch. It will take you to the GUI of the switch. (from ethernet)