https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25091#M614 I really don't know exactly how those access-lists/masks work, but shouldn't you also allow ARP on that port?<BR /> I've accidentally blocked ARP before, and the results weren't pretty <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /> Wed, 14 Sep 2016 16:32:00 GMT Frank 2016-09-14T16:32:00Z https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25090#M613 I'm trying to understand access list’s mechanism on Extreme switch Summit300-48. Want to deny anything but TCP on specific port. So settings such commands:<BR /> <BR /> <DIV class="threadCode"><B>code:</B><PRE spellcheck="false">create access-mask port_mask ports precedence 25000<BR />create access-list denyall port_mask ports 1:43 deny create access-mask ipproto_mask ip-protocol ports precedence 15000 create access-list allowTCP ipproto_mask ip-protocol TCP ports 1:43 permit </PRE></DIV>And It doesn’t work. It looks like all incoming traffic on port 1:43 is blocked. ACL generally work on this switch. For example I could block all TCP and open only for specific IP. What am I doing wrong? Help me please.<BR /> <BR /> Tue, 13 Sep 2016 17:39:00 GMT https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25090#M613 Andrzej_Kenig 2016-09-13T17:39:00Z https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25091#M614 I really don't know exactly how those access-lists/masks work, but shouldn't you also allow ARP on that port?<BR /> I've accidentally blocked ARP before, and the results weren't pretty <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /> Wed, 14 Sep 2016 16:32:00 GMT https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25091#M614 Frank 2016-09-14T16:32:00Z https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25092#M615 Hello Andrzej, I agreed with Frank. When using a "denyall" rule you might be blocking ARP packets also.<BR /> <BR /> I would suggest you to add the following rule and test again:<BR /> <BR /> <I>create access-mask allowarpmask ethertype ports precedence 1000<BR /> </I><I>create access-list allowarp access-mask allowarpmask ethertype 0x0806 ports 1:43 permit</I><BR /> Wed, 14 Sep 2016 19:52:00 GMT https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25092#M615 Henrique 2016-09-14T19:52:00Z https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25093#M616 It works! Exactly after adding your’s rules, Henrique, it works like it should to.In fact without arp allowed, it was working for the few seconds until host forget it’s local arp table. Now it works with no problems.<BR /> <BR /> Thank You very much!<BR /> <BR /> Thu, 15 Sep 2016 17:51:00 GMT https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25093#M616 Andrzej_Kenig 2016-09-15T17:51:00Z https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25094#M617 Hi Andrzej, glad to hear that worked!<BR /> <BR /> Thanks for the feedback.<BR /> Thu, 15 Sep 2016 17:51:00 GMT https://community.extremenetworks.com/t5/end-of-service-products/block-all-but-tcp-by-acl-on-extreme-switch-summit300-48/m-p/25094#M617 Henrique 2016-09-15T17:51:00Z