https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43091#M10305 thank you very much for the solution!<BR /> That was my typo:<BR /> I applied the policy like this<BR /> configure bgp neighbor 2001:db8::1 route-policy in allv6-in<BR /> and (again!) forgot about address-family ipv6-unicast<BR /> now it works as expected Tue, 25 Apr 2017 14:22:00 GMT Nick_Yakimenko 2017-04-25T14:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43078#M10292 Hi there,<BR /> Can anyone explain to my why this basic ACL policy does not work?<BR /> This is using XOS 22.2.15 on an X450-G2.<BR /> <BR /> I want to emulate Cisco behaviour of permitting what I want with an deny at the bottom.<BR /> <BR /> <B># Permit</B><BR /> <B>entry 1.1 { if { source-address 192.168.132.0/26; destination-address 192.168.249.202/32;} then { permit; count Permit;}}</B><BR /> <BR /> <B># Deny Everything Else</B><BR /> <B>entry 2.1 { if {} then { deny; count Deny;}}</B><BR /> <BR /> The access list is applied to a VLAN as follows:<BR /> <BR /> <B>configure access-list Test vlan "Data" ingress</B><BR /> <BR /> It seems to drop all packets, I thought policies were supposed to process top down with packets until they get a match?<BR /> <BR /> Thanks,<BR /> Mark<BR /> <BR /> Mon, 24 Apr 2017 20:17:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43078#M10292 Mark_Lamond 2017-04-24T20:17:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43079#M10293 if match any Mon, 24 Apr 2017 20:30:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43079#M10293 Nick_Yakimenko 2017-04-24T20:30:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43080#M10294 more about 'match all' or 'match any'<BR /> <A href="https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS" target="_blank" rel="nofollow noreferrer noopener">https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS</A><BR /> Mon, 24 Apr 2017 20:30:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43080#M10294 Nick_Yakimenko 2017-04-24T20:30:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43081#M10295 Hi,<BR /> <BR /> the last ACL, will block all traffic including ARP, etc. on vlan ingress.<BR /> You should for example add before the last entry:<BR /> <BR /> entry ARP { if match all { ethernet-type 0x0806 ;<BR /> } then {<BR /> permit ;<BR /> } }<BR /> <BR /> and so on...<BR /> <BR /> --<BR /> Jarek Mon, 24 Apr 2017 20:40:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43081#M10295 Jarek 2017-04-24T20:40:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43082#M10296 Hi,<BR /> <BR /> if you want to emulate an IPv4 router ACL, you should use a deny statement that denies IPv4 packets only:<BR /> <BR /> <B>entry 2.1 { if {source-address 0.0.0.0/0;} then { deny; count Deny;}}</B><BR /> <BR /> Otherwise you will have problems with e.g. ARP as mentioned by Jarek.<BR /> <BR /> Thanks,<BR /> Erik Tue, 25 Apr 2017 11:56:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43082#M10296 Erik_Auerswald 2017-04-25T11:56:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43083#M10297 Thanks for the replies folks, now working as expected and making a lot more sense.<BR /> <BR /> We use a lot of ACL's and are moving from Enterasys/Cisco to Extreme so a lot to learn.<BR /> <BR /> Thanks,<BR /> Mark<BR /> <BR /> Tue, 25 Apr 2017 14:07:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43083#M10297 Mark_Lamond 2017-04-25T14:07:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43084#M10298 Hi Mark,<BR /> <BR /> if you need to convert Cisco(-like) ACLs to EXOS you can try the <A href="https://github.com/extremenetworks/ExtremeScripting/tree/master/EXOS/Perl/IOStoEXOSACL" target="_blank" rel="nofollow noreferrer noopener">IOS to EXOS ACL Convert</A> Perl script. Simple IPv4 ACLs can be converted with <A href="https://github.com/extremenetworks/E2X" target="_blank" rel="nofollow noreferrer noopener">E2X</A> as well.<BR /> <BR /> Thanks,<BR /> Erik Tue, 25 Apr 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43084#M10298 Erik_Auerswald 2017-04-25T14:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43085#M10299 I'm trying to make a policy from this cisco line<BR /> ipv6 prefix-list ipv6_out seq 10 permit 2001:db8::/32 le 48<BR /> and it does not seem to work:<BR /> <BR /> entry acl_prefix-list_1 { if {<BR /> } then {<BR /> permit ;<BR /> }<BR /> }<BR /> <BR /> Tue, 25 Apr 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43085#M10299 Nick_Yakimenko 2017-04-25T14:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43086#M10300 Hi Nick,<BR /> <BR /> a prefix list is not an access control list...  On EXOS, routing policies use .pol files just like ACLs, but they use different match statements and actions. They even have their own chapter in the documentation, <A href="http://documentation.extremenetworks.com/exos_22.2/EXOS_21_1/Routing_Policies/routing-policies.shtml" target="_blank" rel="nofollow noreferrer noopener">Routing Policies</A>.<BR /> <BR /> Anyway, the EXOS equivalent to your IOS prefix list line is:<BR /> entry ipv6_out_05 { if { nlri 2001:db8::/49 } then { deny } } entry ipv6_out_10 { if { nlri 2001:db8::/32 } then { permit } }You can use the <I>exact</I> keyword after the subnet specification to require an exact match, instead of accepting all longer prefixes.<BR /> <BR /> Thanks,<BR /> Erik Tue, 25 Apr 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43086#M10300 Erik_Auerswald 2017-04-25T14:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43087#M10301 Thanks for reply<BR /> What about this one?<BR /> <BR /> ipv6 prefix-list allv6 seq 10 permit ::/0 ge 20 le 48 <BR /> <BR /> the eqivalent to v4 we use is<BR /> <BR /> ip prefix-list all seq 10 permit 0.0.0.0/0 ge 8 le 24<BR /> extreme-style is<BR /> <BR /> entry bgp-min24-00 { <BR /> if match any { <BR /> nlri any/9 exact ; <BR /> nlri any/10 exact ; <BR /> nlri any/11 exact ; <BR /> nlri any/12 exact ; <BR /> nlri any/13 exact ; <BR /> nlri any/14 exact ; <BR /> nlri any/15 exact ; <BR /> nlri any/16 exact ; <BR /> nlri any/17 exact ; <BR /> nlri any/18 exact ; <BR /> nlri any/19 exact ; <BR /> nlri any/20 exact ; <BR /> nlri any/21 exact ; <BR /> nlri any/22 exact ; <BR /> nlri any/23 exact ; <BR /> nlri any/24 exact ; <BR /> } <BR /> then { <BR /> local-preference 130 ; <BR /> community add "65535:65535" ; <BR /> permit ; <BR /> } <BR /> } <BR /> <BR /> entry bgp-min24-01 { <BR /> if match any { <BR /> nlri any/1 exact; <BR /> nlri any/2 exact; <BR /> nlri any/3 exact; <BR /> nlri any/4 exact; <BR /> nlri any/5 exact; <BR /> nlri any/6 exact; <BR /> nlri any/7 exact; <BR /> nlri any/8 exact; <BR /> nlri any/25 exact ; <BR /> nlri any/26 exact ; <BR /> nlri any/27 exact ; <BR /> nlri any/28 exact ; <BR /> nlri any/29 exact ; <BR /> nlri any/30 exact ; <BR /> nlri any/31 exact ; <BR /> nlri any/32 exact ; <BR /> } <BR /> then { <BR /> deny ; <BR /> } <BR /> } <BR /> Tue, 25 Apr 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43087#M10301 Nick_Yakimenko 2017-04-25T14:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43088#M10302 Hi Nick,<BR /> <BR /> first a disclaimer: I did not test that my routing policies above really work...<BR /> <BR /> My understanding is that "nlri any/X" without "exact" matches on any network with a prefix length of X or longer. Thus you can compose the policy to first deny the too-long prefixes, then allow the accepted prefix length range, and then deny anything not yet matched.<BR /> <BR /> Example:<BR /> entry all_ipv6_05 { if { nlri any/49 } then { deny } } entry all_ipv6_10 { if { nlri any/20 } then { permit } } entry ipv6_out_15 { if { nlri any/0 } then { permit } } That method should work for IPv4 as well.<BR /> <BR /> Thanks,<BR /> Erik<BR /> <BR /> Tue, 25 Apr 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43088#M10302 Erik_Auerswald 2017-04-25T14:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43089#M10303 That is a very good idea, but it does not work as expected<BR /> Line 3 : Failed argument value 49 is invalid<BR /> First of all, first argument should be <BR /> nlri any-ipv6/49<BR /> Secondly, I tried to filter-out a /48 announces from uplink, so I modified first argument to a /47<BR /> Did a policy-refresh<BR /> Tried to disable and then re-enable the bgp-session, but still I can see /48 announcements from an uplink. Tue, 25 Apr 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43089#M10303 Nick_Yakimenko 2017-04-25T14:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43090#M10304 Thanks for testing. Sorry that it did not work.  Tue, 25 Apr 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43090#M10304 Erik_Auerswald 2017-04-25T14:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43091#M10305 thank you very much for the solution!<BR /> That was my typo:<BR /> I applied the policy like this<BR /> configure bgp neighbor 2001:db8::1 route-policy in allv6-in<BR /> and (again!) forgot about address-family ipv6-unicast<BR /> now it works as expected Tue, 25 Apr 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43091#M10305 Nick_Yakimenko 2017-04-25T14:22:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43092#M10306 Great that it works!<BR /> <BR /> Thanks,<BR /> Erik Tue, 25 Apr 2017 14:22:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/basic-policy-based-acl/m-p/43092#M10306 Erik_Auerswald 2017-04-25T14:22:00Z