Header Only - DO NOT REMOVE - Extreme Networks

ACL to allow traffic to specified ports on a subnet


I have a situation where I need to restrict traffic from a specified client subnet to another server subnet. I have done this by creating a blanket deny between subnets which works fine.

I now need to allow traffic between the same two subnets but only for a specific port number.

I cannot seem to get this to function. The policy check commands come back as passed OK.

When the blanket deny between subnets is removed I can access the port I need to from the client subnet.

I have included examples from my ACL below and the "allow" is above the "deny" in the ACL.

entry Allow_server_to_client {
if {
source-address aaa.bbb.0.0/16; (client)
protocol tcp;
destination-address ccc.ddd.195.0/24; (server)
destination-port 13087;
}
then {
permit;
}
}

entry Deny_server_to_client {
if match all {
source-address aaa.bbb.0.0/16 ;
destination-address ccc.ddd.0.0/16 ;
}
then {
deny ;
}
}

4 replies

Userlevel 3
Try "if match all" on the first expression as well

I honestly cannot remember the default on XOS
Userlevel 3
Have you refreshed the policy ?
refresh policy
All

I had been doing a policy check and refresh without success.... What I did find is that specifying "if match all" seemed to do the trick. I have no idea why as by default (apparantly) "if match all" is implied. Either way I got it going but thanks for the replies.

cheers

Rich
Thanks Simon for your help 🙂

cheers

Reply