Header Only - DO NOT REMOVE - Extreme Networks
Question

error on egress (dynamic) acl


Userlevel 4
Create Date: Sep 27 2013 9:57AM

I want to block traffic from vlan1 to vlan2

setup acl:

create access-list deny-v1-v2 "source-address 10.99.36.0/24;destination-address 10.99.35.0/24" "deny"
config access-list add deny-v1-v2 first any egress

applying responses in following error:
Error: ACL install operation failed - port 5:8, rule "deny-v1-v2", feature unavailable.

What does this means? And how do I solve this issue?

Also tried ingress, but this will block traffic to both directions...

please advice.
(from LNU)

4 replies

Userlevel 4
Create Date: Sep 27 2013 12:09PM

Good Morning LNU

Can you give me information about the switch you are doing this on also what version of code?

Thanks
P (from Paul_Russo)
Userlevel 4
Create Date: Sep 27 2013 3:14PM

Hi Prusso,
thanks for your reply

It a BB8810 - xos version 12.3.3.6

I decided to work with static policies. I found out that this give me more overview.

Below is the test acl policy (applied on any / ingress) - but still can't get this working right;

The rules from vlan2 to vlan 1 are working fine (got ping reply, rdp, telnet and all other traffic is blocked).
But in the policy I created an entry to allow all traffic from vlan1 to vlan2, but all traffic is blocked..

vlan1 (10.99.35.0/24)
vlan 2 (10.99.36.0/24)

Policy:
entry permit-prd-inf-ping {
if match all {
source-address 10.99.36.0/24;
destination-address 10.99.35.0/24;
protocol icmp;
icmp-type echo-request;
} then {
count permit-prd-inf-ping;
permit;
}}

entry permit-prd-inf-telnet {
if match all {
source-address 10.99.36.0/24;
destination-address 10.99.35.0/24;
protocol tcp;
destination-port 23;
} then {
count permit-prd-inf-telnet;
permit;
}}

entry permit-prd-inf-rdp {
if match all {
source-address 10.99.36.0/24;
destination-address 10.99.35.0/24;
protocol tcp;
destination-port 3389;
} then {
count permit-prd-inf-rdp;
permit;
}}

entry deny-prd-inf-other {
if match all {
source-address 10.99.36.0/24;
destination-address 10.99.35.0/24;
} then {
count deny-prd-inf-other;
deny;
}}

entry permit-all-other {
if match all {
source-address 10.99.35.0/24;
destination-address 10.99.36.0/24;
} then {
count permit-all-other;
permit;
}}

(from LNU)
Userlevel 4
Create Date: Oct 1 2013 2:11PM

nobody? (from LNU)
Userlevel 4
Create Date: Oct 7 2013 11:31AM

Have you check the policy ?
example:
D-Lab.5 # check policy MS-VLAN-BRIDGE
Policy file check successful.
BD-Lab.6 #
(from Pascal_Lurquin)

Reply