topic RE: ACL Basic in ExtremeSwitching (EXOS/Switch Engine)

ACL Basic

EtherNation_Use — Wed, 08 Jan 2014 06:01:00 GMT

Create Date: May 3 2013 2:16PM

HiI'm not quite getting ACL's so far. I have a few vlans all with ipforwarding enabled and ips for the vlans.vlan 1 10.10.1.0/24vlan 2 10.10.2.0/24

I was hoping the following would allow ping from vlan 1 to vlan 2 but block all else, but it doesn't seem to work, do i need to also allow the return traffic or am i incorrect..so if i create this policy (below) and configure via :

configure access-list thepolicy vlan "Vlan 2"

Code:

@description "Allow ICMP ping"
entry ping_allow_echo_request
{
if {
protocol icmp;
icmp-type echo-request;
source-address 10.10.1.0/24;
} then {
permit;
}
}
@description "Default block all"

entry deny_default_all {
if {
}
then {
deny;
}
}
(from conrad_jones)

RE: ACL Basic

EtherNation_Use — Wed, 08 Jan 2014 06:01:00 GMT

Create Date: May 3 2013 7:18PM

You have to allow the return as well. ACLs in XOS aren't stateful. If you allow the echo requests back, you should get the result you want. (from Ansley_Barnes)

RE: ACL Basic

EtherNation_Use — Wed, 08 Jan 2014 06:01:00 GMT

Create Date: May 5 2013 6:22PM

got it working, added echo-reply to the same network but as destination network

thank you

Code:

@description "Allow ICMP ping"
entry ping_allow_echo_request
{
if {
protocol icmp;
icmp-type echo-request;
source-address 10.10.1.0/24;
} then {
permit;
}
}
entry ping_allow_echo_reply
{
if {
protocol icmp;
icmp-type echo-reply;
destination-address 10.10.1.0/24;
} then {
permit;
}
}

@description "Default block all"

entry deny_default_all {
if {
}
then {
deny;
}
}

(from conrad_jones)