ACL to allow traffic to specified ports on a subnet

  • 14 February 2018
  • 4 replies

I have a situation where I need to restrict traffic from a specified client subnet to another server subnet. I have done this by creating a blanket deny between subnets which works fine.

I now need to allow traffic between the same two subnets but only for a specific port number.

I cannot seem to get this to function. The policy check commands come back as passed OK.

When the blanket deny between subnets is removed I can access the port I need to from the client subnet.

I have included examples from my ACL below and the "allow" is above the "deny" in the ACL.

entry Allow_server_to_client {
if {
source-address aaa.bbb.0.0/16; (client)
protocol tcp;
destination-address ccc.ddd.195.0/24; (server)
destination-port 13087;
then {

entry Deny_server_to_client {
if match all {
source-address aaa.bbb.0.0/16 ;
destination-address ccc.ddd.0.0/16 ;
then {
deny ;

4 replies

Userlevel 3
Try "if match all" on the first expression as well

I honestly cannot remember the default on XOS

Userlevel 3
Have you refreshed the policy ?
refresh policy


I had been doing a policy check and refresh without success.... What I did find is that specifying "if match all" seemed to do the trick. I have no idea why as by default (apparantly) "if match all" is implied. Either way I got it going but thanks for the replies.


Thanks Simon for your help :-)