Header Only - DO NOT REMOVE - Extreme Networks

How to make ACL that will only allow HTTP traffic to and from a specific host


I am new to ACL in Extreme and would like to seek your support on how to make an acl to only allow HTTP and HTTPS traffic to and from host 10.158.22.36. All other packets to and from 10.158.22.36 should be denied.

thank you!

4 replies

Userlevel 4
There is an article about "how to create and apply ACL in EXOS" : https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS/

I think your ACL syntax may be:

entry one {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry two {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry three {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry four {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry five {
if match all {
source-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}
entry six {
if match all {
destination-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}

But if the host 10.158.22.36 is just user-device and is not a server providing the web service, then I think you don't need both directions. It will be enough with "source-address" and "destination-port" match condition.
David Choi wrote:

There is an article about "how to create and apply ACL in EXOS" : https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS/

I think your ACL syntax may be:

entry one {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry two {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry three {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry four {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry five {
if match all {
source-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}
entry six {
if match all {
destination-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}

But if the host 10.158.22.36 is just user-device and is not a server providing the web service, then I think you don't need both directions. It will be enough with "source-address" and "destination-port" match condition.

thank you! I will give it a try and see the results.

Actually, host is a server wherein I need to launch the GUI remotely. I would like restrict access to that host to only GUI access.
David Choi wrote:

There is an article about "how to create and apply ACL in EXOS" : https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS/

I think your ACL syntax may be:

entry one {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry two {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry three {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry four {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry five {
if match all {
source-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}
entry six {
if match all {
destination-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}

But if the host 10.158.22.36 is just user-device and is not a server providing the web service, then I think you don't need both directions. It will be enough with "source-address" and "destination-port" match condition.

Hello,

I would just like to clarify, on which direction should I apply the acl? egress or ingress?
configure access-list vlan egress|ingress
Userlevel 4
David Choi wrote:

There is an article about "how to create and apply ACL in EXOS" : https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS/

I think your ACL syntax may be:

entry one {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry two {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry three {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry four {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry five {
if match all {
source-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}
entry six {
if match all {
destination-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}

But if the host 10.158.22.36 is just user-device and is not a server providing the web service, then I think you don't need both directions. It will be enough with "source-address" and "destination-port" match condition.

Well, I think you should consider the ACL according to the direction of traffic and may divide the ACL into 2 separate ACLs. One is ACL1 that has match conditions of "source-address" and another is ACL2 that has match conditions of "destination-address".
The ACLs can be applied with various ways according to where the ACL would be applied on. For example, ACL1 can be applied as ingress on a port or VLAN that the host is connected. Also, ACL1 can be applied as egress on uplink port or a port that connected to end-user. Because the goal of ACL1 is only to accept http/https traffic from specific host. Either ways can meet the goal.
(Please remember that all EXOS switches don't support egress ACL)

Usually, the ACL1 can be applied as ingress on a port or VLAN that the host is connected for coming traffic from the host. And the ACL2 can be applied as ingress on uplink port (or VLAN) or ports that connected to end-users for entering traffic into the switch with destination to the host.

Reply