How do I configure an access list to allow only one IP through ingress port?


entry iprule1 {if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
else {
deny ;
}
}

I am getting error:

Error: ACL install operation failed - conflicting actions

And where is "Extreme Networks Policy Manager" cant find it on extremenewtworks.com.

13 replies

Userlevel 6
Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!
Alexandr P wrote:

Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!

Hi I tried this also earlier but I get the following error:

Error: Policy ip has syntax errors
Line 8 : Did not get expected keyword "else","if" is not valid
Configuration faiError: Policy ip has syntax errorsLine 8 : Did not get expected keyword "else","if" is not valid
Configuration failed on backup Node, command execution aborted!
led on backup Node, command execution aborted!
Userlevel 6
Alexandr P wrote:

Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!

Sorry, forgot 1 line:

entry iprule1 {
if {
source-address 10.1.2.246/32 ;
} then {
permit;
}
}
# deny everyone else
entry iprule2 {
if {
} then {
deny;
}
}
Alexandr P wrote:

Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!

sorry again but this has blocked all services from the host 10.1.2.246. It cannot access internet or ping default gateway either. Please advice!! 🙂
Alexandr P wrote:

Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!

I have applied the policy on ingress port.
Userlevel 6
Alexandr P wrote:

Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!

What switch and what version of EXOS do you have?
Alexandr P wrote:

Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!

ExtremeXOS version 15.2.2.7
Summit X250e-24p
Userlevel 7
Alexandr P wrote:

Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!

Hi Ashish,

Does the host have an ARP entry for the default gateway? I suspect that this ACL is blocking ARP, since there is no IP header in an ARP packet. You could either switch to matching on the MAC address of the host, or add another entry to the ACL to permit ARP.

-Brandon
Userlevel 7
Alexandr P wrote:

Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!

Also, don't forget to permit the case where the destination IP is that of the host.
Hi I tried this also earlier but I get the following error:

Error: Policy ip has syntax errors
Line 8 : Did not get expected keyword "else","if" is not valid
Configuration faiError: Policy ip has syntax errorsLine 8 : Did not get expected keyword "else","if" is not valid
Configuration failed on backup Node, command execution aborted!
led on backup Node, command execution aborted!
Userlevel 6
Hi Ashish,

What AlexandrP said is corrrect except there should be another entry in there above the second if. Like so:

entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
}

entry iprule2 {
if {
}
then {
deny;
}
}

Just incase this helps here is a article written for ACL's

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS

You can place multiple entries in one policy but it will only trigger on one of them. This means that the order is important because it goes from top to bottom.
Userlevel 6
Hi Ashish,

I agree with the discussion above. We need to add separate entries to permit or deny the rest of the traffic. The rule1 above only matches the source IP address. So, the ARP packets could be dropped. If this is the only IP address that you would like to allow, the following ACL could be considered.

entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
}

entry iprule2 {
if {
arp-sender-address 10.1.2.246/32;
}
then {
permit;
}
}

entry iprule3 {
if {
}
then {
deny;
}
}

If you want to allow ARP packets in general, the rule2 could be modified as below:

entry iprule2 {
if {
ethernet-type 0x0806;
}
then {
permit;
}
}

Hope this helps!
Prashanth KG wrote:

Hi Ashish,

I agree with the discussion above. We need to add separate entries to permit or deny the rest of the traffic. The rule1 above only matches the source IP address. So, the ARP packets could be dropped. If this is the only IP address that you would like to allow, the following ACL could be considered.

entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
}

entry iprule2 {
if {
arp-sender-address 10.1.2.246/32;
}
then {
permit;
}
}

entry iprule3 {
if {
}
then {
deny;
}
}

If you want to allow ARP packets in general, the rule2 could be modified as below:

entry iprule2 {
if {
ethernet-type 0x0806;
}
then {
permit;
}
}

Hope this helps!

This solution works perfectly!!!!!

Thankyou Mr.Prashant and everyone for your guidance 🙂

Reply