https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26246#M3481 Are you applying this ACL on a port or a VLAN? I am assuming you are applying it on the ingress? Also, if the IP address 192.168.3.10 "resides" inside your switch you probably need to swap the destination IP with the source IP (assuming you are applying the ACL on ingress). Wed, 24 Jun 2015 16:21:00 GMT Annas_Shaker 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26243#M3478 Hello everyone,<BR /> <BR /> I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.<BR /> <BR /> edit policy acl_input<BR /> <BR /> entry permit_telnet { <BR /> if match any {<BR /> destination-address 192.168.3.29/32;<BR /> source-address 192.168.3.10;<BR /> protocol tcp; <BR /> destination-port 23;<BR /> } <BR /> then { <BR /> permit;<BR /> }<BR /> }<BR /> <BR /> <BR /> entry permit_bgp { <BR /> if match any { <BR /> destination-address 1.3.4.5/32;<BR /> source-address 192.168.3.10;<BR /> protocol tcp; <BR /> destination-port 179;<BR /> } then { <BR /> permit;<BR /> } <BR /> } <BR /> entry permit_icmp { <BR /> if match any {<BR /> protocol icmp;<BR /> source-address 192.168.3.10; <BR /> } then { <BR /> permit; <BR /> } <BR /> } <BR /> entry block_all {<BR /> if match all {<BR /> source-address 192.168.3.10;<BR /> } then { <BR /> deny; } <BR /> } <BR /> <BR /> <BR /> The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch. <BR /> <BR /> please, how can i created this acl?<BR /> <BR /> tks<BR /> <BR /> Wed, 24 Jun 2015 02:33:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26243#M3478 welisson 2015-06-24T02:33:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26244#M3479 Hi,<BR /> <BR /> where do you apply the policy ? Can you give more details ?<BR /> Maybe you are connecting to the switch from 192.168.3.10 ?<BR /> Do you have any other ACL on the switch ?<BR /> <BR /> --<BR /> Jarek<BR /> <BR /> Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26244#M3479 Jarek 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26245#M3480 Hi Jarek,<BR /> <BR /> I'm applying it on x460 where the ip address is 192.168.3.10, a few time later applied it i try connecting on the switch and i can't do that more, so i need logg in via console and disable this access-list, and so on, i'm able connecting them again.<BR /> <BR /> <I>Do you have any other ACL on the switch ?</I><BR /> No, i don't<BR /> <BR /> In this acl, i'd like firstly permit a few ip address to connect on switch also establish bgp section, after permit i'd like block any attempt access not permit in toward of switch.<BR /> <BR /> Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26245#M3480 welisson 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26246#M3481 Are you applying this ACL on a port or a VLAN? I am assuming you are applying it on the ingress? Also, if the IP address 192.168.3.10 "resides" inside your switch you probably need to swap the destination IP with the source IP (assuming you are applying the ACL on ingress). Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26246#M3481 Annas_Shaker 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26247#M3482 Hi Annas,<BR /> <BR /> I'm applying this on specific vlan and mode ingress.<BR /> <BR /> it's really Annas, i made a mistake that. i've swapped and work fine until now.<BR /> <BR /> Thank you for looking this wrong.<BR /> <BR /> Other thing, about creating routing policy like prefix-list at Cisco for instance below;<BR /> <BR /> ip prefix-list TESTE seq 10 permit/deny 10.10.0.0/8 le 32<BR /> <BR /> At Extreme i can do it like below;<BR /> as_65000-IN.pol<BR /> <BR /> entry politic_input {<BR /> if { <BR /> nrli 10.10.0.0/8;<BR /> }<BR /> then {<BR /> permit/deny;<BR /> }<BR /> <BR /> In this rule i mean to block the network 10.10.0.0/8, but i need block whole network from /8 until /32, please how can i to do it on Extreme?<BR /> <BR /> tks<BR /> Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26247#M3482 welisson 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26248#M3483 the policy you have above should block the whole network from /8 to /32. Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26248#M3483 Annas_Shaker 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26249#M3484 Hi Annas, <BR /> <BR /> So, it will block or accept from /8 until /32 implicit, so that, i'd like just /8 or /24 i should configure "nrli 10.10.0.0/24 exact;" shouldn't i?<BR /> <BR /> sincerely<BR /> <BR /> Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26249#M3484 welisson 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26250#M3485 For prefix /24, yes, you must add exact at end.<BR /> <BR /> Search in the concept guide for "Prefix Range Examples" <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span><BR /> <BR /> --<BR /> Jarek Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26250#M3485 Jarek 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26251#M3486 Tks Jarek for tip.<BR /> <BR /> I found what i'm need, i was researching Extremes User Guid and itself doesn't has this information.<BR /> Now i found in Concepts Guide.<BR /> <BR /> Tks Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26251#M3486 welisson 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26252#M3487 after i've read this guide and found "Prefix Range Examples" i configured my route-policy as below;<BR /> <BR /> entry bgp_filter {<BR /> if match any {<BR /> as-path "15123";<BR /> } then {<BR /> permit;<BR /> local-preference 800;<BR /> }<BR /> }<BR /> entry bgp_filter-05 {<BR /> if match any {<BR /> as-path "1234";<BR /> }<BR /> then {<BR /> permit;<BR /> local-preference 450;<BR /> }<BR /> }<BR /> <BR /> entry bgp_filter-10 {<BR /> if match any {<BR /> nlri any/20 max 24;<BR /> as-path "^56789$";<BR /> }<BR /> then {<BR /> permit;<BR /> local-preference 750;<BR /> }<BR /> }<BR /> <BR /> entry bgp_filter-100 {<BR /> if match all {<BR /> } then {<BR /> deny;<BR /> }<BR /> }<BR /> <BR /> at entry bgp_filter-10 i wanna permit all ip address inside from /20 to /24 but when i runnig refresh in my policy, i can't see this filter being full applied, or be, i still see prefix from /20 to /32 and the local-preference being applied.<BR /> <BR /> What is the better way to built this rule? Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26252#M3487 welisson 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26253#M3488 Insert rule "bgp_filter-10" on the top of this policy.<BR /> <BR /> --<BR /> Jarek<BR /> Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26253#M3488 Jarek 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26254#M3489 Hi<B>@Jarek</B>,<BR /> <BR /> I have done it, however when i applied this rule it mark all prefix from /20 to /32 as local-preference 750, in case i belive that i should create a rule blocking /25 like "nlri any/25;" comming into ASN 56789 and so, apply another policy setting up local-preference, because i'm looking that Prefix Range doesn't work as should. <BR /> <BR /> So, i applied the rule like below to work as i wish.<BR /> <BR /> entry bgp_filter-0 {<BR /> if match any {<BR /> nlri any/25 ;<BR /> as-path "^56789$";<BR /> }<BR /> then {<BR /> deny;<BR /> }<BR /> }<BR /> <BR /> entry bgp_filter-3 {<BR /> if match any {<BR /> as-path "^56789$";<BR /> }<BR /> then {<BR /> local-preference 750;<BR /> }<BR /> }<BR /> <BR /> and the next rule are the same.<BR /> <BR /> Is prefix range working as hope? It is my doubts. Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26254#M3489 welisson 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26255#M3490 Wellison, I forgot to add one thing about the entry.<BR /> <BR /> entry bgp_filter-10 {<BR /> if match any { <BR /> nlri any/20 max 24;<BR /> as-path "^56789$";<BR /> }<BR /> then {<BR /> permit;<BR /> local-preference 750;<BR /> }<BR /> }<BR /> <BR /> "if match any" means - if any of those two is true, match occours <BR /> In this case all prefixes /XX will be true for as-path "^56789$" + prefixes /20 to /24<BR /> <BR /> If you change this to "if match all" (which is default), then all match conditions must be true<BR /> and you will have prefixes /20 - /24 in AS 56789<BR /> <BR /> --<BR /> Jarek Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26255#M3490 Jarek 2015-06-24T16:21:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26256#M3491 Hello Jarek.<BR /> <BR /> It's exactly i wish. I need match all.<BR /> <BR /> somehow what i concluded is this table "Prefix Range Example" doesn't work as expected.<BR /> <BR /> If anyone at Extreme wishs to do more test i'm avaliable to go ahed with it.<BR /> <BR /> Wed, 24 Jun 2015 16:21:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/creating-acl/m-p/26256#M3491 welisson 2015-06-24T16:21:00Z