EXOS ACL, Explict, Match, Dynamic, Policy


Userlevel 5
Have some specific questions about EXOS ACL's I am hoping someone can help with:

  1. Dynamic and Policy ACL's - do these have a Explicit Deny or Permit at the end of each. I know I can create either / or but not sure what the default process is and if its the same for each type?
  2. If I create a Policy ACL with just an 'if' statement and NO match condition, i.e. 'match all', would it still match all elements in the statement like Source Address, Protocol and Port Number?
  3. Whats the main difference and reasons for creating ACL's as a policy than Dynamic and visa versa, here's some that I can think of:
  • Policy ACL you can edit the rule, i.e. if you wanted to add a count to a rule as opposed to a Dynamic ACL you would have to remove the ACL and re-add it amended.
  • Dynamic ACL's help if you are used to writing them directly in the command line.
  • Dynamic ACL's you can re-use rules per individual rule.
  • Policy ACL's you can apply many rules at once with a single command.
Thanks in advance.

7 replies

Userlevel 7
Hi,

In case you didn't notice, we also have a dedicated ACL guide, in addition to our User Guide.

1. ACL have an implicit default permit all, while Routing Policy have an implicit default deny all.
2. If you are referring to the fact to have 'match all' or 'match any' for a policy, if none specified, it defaults to 'match all'.

Rdgs
Userlevel 5
Hi Stephane,

Thanks for replying.

Have read the ACL guide, but think because of the slight contradiction the confusion has come about. So just to confirm your answer are you saying with the examples 1 & 2 below there is a default permit all and example 3 there is a default deny all:

Example 1

test_policy1.pol

entry test_policy1 {
if {
source-address 25.25.25.1/32;
destination-address 10.10.10.24/32;
}then {
deny;
}
}[/code]

configure access-list test_policy1 first port 1:1 ingress[/code]

Example 2



create access-list test_dynamic "source-address 25.25.25.1/32;destination-address 10.10.10.24/32;" "deny;"[/code]

configure access-list add test_dynamic first port 1:1 ingress[/code]

Example 3

entry test_PBR {
If {
nlri 22.16.0.0/14;
} then {
permit;
}
}[/code]

configure access-list test_PBR first port 1:1 ingress[/code]

----------------------

Also, one other thing just to clarify is that all these ACL's act on traffic by exiting on match, unlike policy in Enterasys where they keep going down the list?

Many thanks.
Userlevel 6
Hey Martin

You are correct in your statements This is the section from the user guide.
"The following is an example of a policy entry:"
"entry ip_entry {"
"if match any {"
"nlri 10.203.134.0/24;"
"nlri 10.204.134.0/24;"
"} then {"
"next-hop 192.168.174.92;"
"origin egp;"
"}"
"}"
"Policy entries are evaluated in order, from the beginning of the file to the end, as follows:"
"• If a match occurs, the action in the then statement is taken:"
"• if the action contains an explicit permit or deny, the evaluation process terminates."
"• if the action does not contain an explicit permit or deny, the action is an implicit permit, and the evaluation process terminates."
"• If a match does not occur, the next policy entry is evaluated."
"• If no match has occurred after evaluating all policy entries, the default action is deny."

In your third example to apply the route-policy you need to use the configure bgp import-policy command as shown below

Applying route-policies

"To apply a routing policy, use the command appropriate to the client. Different protocols support"
"different ways to apply policies, but there are some generalities."
"Commands that use the keyword import-policy are used to change the attributes of routes installed"
"into the switch routing table by the protocol. These commands cannot be used to determine the routes"
"to be added to the routing table. The following are examples for the BGP and RIP protocols:"
"configure bgp import-policy [policy-name | none]"
"configure rip import-policy [policy-name | none]"
Userlevel 7
I answered too fast and too lightly, I assumed something in your question

Policies:

- There can be zero or one match type. If no match type is specified, the match type is all, so all match conditions must be satisfied
- There can be zero or more match conditions. If no match is specified, then every routing entity matches.
- There can be zero or more actions. If no action is specified, the packet is permitted by default.

Default action
Keep in mind the behavior of ExtremeXOS. If you don’t apply a routing policy, the default action is permit. In the same manner, if no action in a policy rule that matches is defined, the default action is also permit. However in a routing policy, the default action for anything that doesn’t match any entries is deny.

Policy entries are evaluated in order, from the beginning of the file to the end, as follows:
- If a match occurs, the action in the then statement is taken.
o If the action contains an explicit permit or deny, the evaluation process terminates.
o If the action doesn’t contain an explicit permit or deny, the action is an implicit permit, and the evaluation process terminates.
- If a match doesn’t occur, the next policy entry is evaluated.
- If no match has occurred after evaluating all policy entries, the default action is deny.
Userlevel 7
Also, don't confuse ACL with Policies (Routing Policies). They share the same syntax pre-processor, but behave slightly differently, while Routing Policies do have a "match any" that is not available to ACL.
Userlevel 5
Many thanks for taking the time reply, now all understood.
Userlevel 5
Here is a link to the guide for anyone else following the thread: http://extrcdn.extremenetworks.com/wp-content/uploads/2014/10/ACL_Solutions_Guide.pdf

Reply