creating acl


Userlevel 2
Hello everyone,

I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.

edit policy acl_input

entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}


entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}


The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.

please, how can i created this acl?

tks

13 replies

Userlevel 3
Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek
Userlevel 2
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

Hi Jarek,

I'm applying it on x460 where the ip address is 192.168.3.10, a few time later applied it i try connecting on the switch and i can't do that more, so i need logg in via console and disable this access-list, and so on, i'm able connecting them again.

Do you have any other ACL on the switch ?
No, i don't

In this acl, i'd like firstly permit a few ip address to connect on switch also establish bgp section, after permit i'd like block any attempt access not permit in toward of switch.
Userlevel 1
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

Are you applying this ACL on a port or a VLAN? I am assuming you are applying it on the ingress? Also, if the IP address 192.168.3.10 "resides" inside your switch you probably need to swap the destination IP with the source IP (assuming you are applying the ACL on ingress).
Userlevel 2
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

Hi Annas,

I'm applying this on specific vlan and mode ingress.

it's really Annas, i made a mistake that. i've swapped and work fine until now.

Thank you for looking this wrong.

Other thing, about creating routing policy like prefix-list at Cisco for instance below;

ip prefix-list TESTE seq 10 permit/deny 10.10.0.0/8 le 32

At Extreme i can do it like below;
as_65000-IN.pol

entry politic_input {
if {
nrli 10.10.0.0/8;
}
then {
permit/deny;
}

In this rule i mean to block the network 10.10.0.0/8, but i need block whole network from /8 until /32, please how can i to do it on Extreme?

tks
Userlevel 1
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

the policy you have above should block the whole network from /8 to /32.
Userlevel 2
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

Hi Annas,

So, it will block or accept from /8 until /32 implicit, so that, i'd like just /8 or /24 i should configure "nrli 10.10.0.0/24 exact;" shouldn't i?

sincerely
Userlevel 3
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

For prefix /24, yes, you must add exact at end.

Search in the concept guide for "Prefix Range Examples" 🙂

--
Jarek
Userlevel 2
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

Tks Jarek for tip.

I found what i'm need, i was researching Extremes User Guid and itself doesn't has this information.
Now i found in Concepts Guide.

Tks
Userlevel 2
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

after i've read this guide and found "Prefix Range Examples" i configured my route-policy as below;

entry bgp_filter {
if match any {
as-path "15123";
} then {
permit;
local-preference 800;
}
}
entry bgp_filter-05 {
if match any {
as-path "1234";
}
then {
permit;
local-preference 450;
}
}

entry bgp_filter-10 {
if match any {
nlri any/20 max 24;
as-path "^56789$";
}
then {
permit;
local-preference 750;
}
}

entry bgp_filter-100 {
if match all {
} then {
deny;
}
}

at entry bgp_filter-10 i wanna permit all ip address inside from /20 to /24 but when i runnig refresh in my policy, i can't see this filter being full applied, or be, i still see prefix from /20 to /32 and the local-preference being applied.

What is the better way to built this rule?
Userlevel 3
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

Insert rule "bgp_filter-10" on the top of this policy.

--
Jarek
Userlevel 2
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

Hi@Jarek,

I have done it, however when i applied this rule it mark all prefix from /20 to /32 as local-preference 750, in case i belive that i should create a rule blocking /25 like "nlri any/25;" comming into ASN 56789 and so, apply another policy setting up local-preference, because i'm looking that Prefix Range doesn't work as should.

So, i applied the rule like below to work as i wish.

entry bgp_filter-0 {
if match any {
nlri any/25 ;
as-path "^56789$";
}
then {
deny;
}
}

entry bgp_filter-3 {
if match any {
as-path "^56789$";
}
then {
local-preference 750;
}
}

and the next rule are the same.

Is prefix range working as hope? It is my doubts.
Userlevel 3
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

Wellison, I forgot to add one thing about the entry.

entry bgp_filter-10 {
if match any {
nlri any/20 max 24;
as-path "^56789$";
}
then {
permit;
local-preference 750;
}
}

"if match any" means - if any of those two is true, match occours
In this case all prefixes /XX will be true for as-path "^56789$" + prefixes /20 to /24

If you change this to "if match all" (which is default), then all match conditions must be true
and you will have prefixes /20 - /24 in AS 56789

--
Jarek
Userlevel 2
Jarek wrote:

Hi,

where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?

--
Jarek

Hello Jarek.

It's exactly i wish. I need match all.

somehow what i concluded is this table "Prefix Range Example" doesn't work as expected.

If anyone at Extreme wishs to do more test i'm avaliable to go ahed with it.

Reply