Header Only - DO NOT REMOVE - Extreme Networks

Block all but TCP by ACL on Extreme switch Summit300-48


I'm trying to understand access list’s mechanism on Extreme switch Summit300-48. Want to deny anything but TCP on specific port. So settings such commands:

code:
create access-mask port_mask ports precedence 25000
create access-list denyall port_mask ports 1:43 deny create access-mask ipproto_mask ip-protocol ports precedence 15000 create access-list allowTCP ipproto_mask ip-protocol TCP ports 1:43 permit
[/code]And It doesn’t work. It looks like all incoming traffic on port 1:43 is blocked. ACL generally work on this switch. For example I could block all TCP and open only for specific IP. What am I doing wrong? Help me please.

4 replies

Userlevel 5
I really don't know exactly how those access-lists/masks work, but shouldn't you also allow ARP on that port?
I've accidentally blocked ARP before, and the results weren't pretty 😉
Userlevel 6
Hello Andrzej, I agreed with Frank. When using a "denyall" rule you might be blocking ARP packets also.

I would suggest you to add the following rule and test again:

create access-mask allowarpmask ethertype ports precedence 1000
create access-list allowarp access-mask allowarpmask ethertype 0x0806 ports 1:43 permit
It works! Exactly after adding your’s rules, Henrique, it works like it should to.In fact without arp allowed, it was working for the few seconds until host forget it’s local arp table. Now it works with no problems.

Thank You very much!
Userlevel 6
Andrzej Kenig wrote:

It works! Exactly after adding your’s rules, Henrique, it works like it should to.In fact without arp allowed, it was working for the few seconds until host forget it’s local arp table. Now it works with no problems.

Thank You very much!

Hi Andrzej, glad to hear that worked!

Thanks for the feedback.

Reply