topic acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port". in ExtremeSwitching (EXOS/Switch Engine)

acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

Keith9 — Mon, 26 Jul 2021 20:28:00 GMT

I’m getting this error on an exos switch when trying to refresh a policy

Line 29 : Protocol needs to be set to TCP or UDP, before setting "destination-port".

Here’s an example what I added.

entry acl1_deny36 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.16/32; destination-port 80;} then { count acl1_http_deny; deny;}}

Here is an example of some lines that work:

entry acl1_deny28 { if { protocol udp; source-address 0.0.0.0/0; destination-address 10.80.2.28/32; destination-port snmp;} then { count acl1_snmp_deny; deny;}}

entry acl1_denyr1 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.4.0/24; destination-port 873;} then { count acl1_rsync_deny; deny;}}

Can anyone tell me why I can’t deny port 80 the same why I deny port 873 or snmp?

RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

OscarK — Mon, 26 Jul 2021 20:35:00 GMT

It reports an error on line 29, is that line you show line 29 ?

RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

Keith9 — Mon, 26 Jul 2021 20:37:00 GMT

Yes i just took an exceprt. I didn’t want to do the whole config.

But look at what does work vs the one that doesn't. The syntax is literally identical.

protocol <tcp or udp>;source-address; destination-address; destination-port; then the action.

RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

OscarK — Mon, 26 Jul 2021 20:40:00 GMT

That entry just works if I try it.

I think there is something else wrong in your policy.

Do a check policy <ACL> and see what it returns.

RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

Keith9 — Mon, 26 Jul 2021 20:55:00 GMT

oh shoot it was the bottom line to allow just IT subnet access to that device.

I pasted the whole group in and though it was the start of the newest line.

entry acl1_permit { if { protocol tcp; source-address 10.7.0.0/16; destination-address 0.0.0.0/0; destination-port 80;} then { permit;}}

It blocks it completely though. So the last permit is not allowed anyway. Though I’m RDPing so I dont know what the system sees me as, the pc i’m RDP’d to in that subnet, or my VPN IP address which is in the 192.168 range.

RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

Keith9 — Mon, 26 Jul 2021 21:05:00 GMT

I got it to work by putting my permit above the denies.

entry acl1_perm80 { if { protocol tcp; source-address 10.7.0.0/16; destination-address 0.0.0.0/0; destination-port 80;} then { permit;}}
entry acl1_deny36 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.16/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny37 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.17/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny38 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.18/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny39 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.19/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny40 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.20/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny41 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.21/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny42 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.22/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny43 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.23/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny44 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.24/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny45 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.25/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny46 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.26/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny47 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.27/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny48 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.28/32; destination-port 80;} then { count acl1_http_deny; deny;}}

RE: acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".

Keith9 — Tue, 27 Jul 2021 02:50:00 GMT

Hey can I put comments in an acl file?

If so whats the escape character ?
Example
// Allow only IT access to idrac

entry (something defining IT) permit

entry (everyone else) deny