topic RE: How do I configure an access list to allow only one IP through ingress port? in ExtremeSwitching (EXOS/Switch Engine)

How do I configure an access list to allow only one IP through ingress port?

Anonymous — Tue, 04 Aug 2015 17:32:00 GMT

entry iprule1 {if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
else {
deny ;
}
}

I am getting error:

Error: ACL install operation failed - conflicting actions

And where is "Extreme Networks Policy Manager" cant find it on extremenewtworks.com.

RE: How do I configure an access list to allow only one IP through ingress port?

Alexandr_P — Tue, 04 Aug 2015 17:35:00 GMT

Hi, Ashish!

I think better will be:
entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
if {
}
then {
deny ;
}
}

Thank you!

RE: How do I configure an access list to allow only one IP through ingress port?

Anonymous — Tue, 04 Aug 2015 17:35:00 GMT

Hi I tried this also earlier but I get the following error:

Error: Policy ip has syntax errors
Line 8 : Did not get expected keyword "else","if" is not valid
Configuration faiError: Policy ip has syntax errorsLine 8 : Did not get expected keyword "else","if" is not valid
Configuration failed on backup Node, command execution aborted!
led on backup Node, command execution aborted!

RE: How do I configure an access list to allow only one IP through ingress port?

Alexandr_P — Tue, 04 Aug 2015 17:35:00 GMT

Sorry, forgot 1 line:

entry iprule1 {
if {
source-address 10.1.2.246/32 ;
} then {
permit;
}
}
# deny everyone else
entry iprule2 {
if {
} then {
deny;
}
}

RE: How do I configure an access list to allow only one IP through ingress port?

Anonymous — Tue, 04 Aug 2015 17:35:00 GMT

sorry again but this has blocked all services from the host 10.1.2.246. It cannot access internet or ping default gateway either. Please advice!! 

RE: How do I configure an access list to allow only one IP through ingress port?

Anonymous — Tue, 04 Aug 2015 17:35:00 GMT

I have applied the policy on ingress port.

RE: How do I configure an access list to allow only one IP through ingress port?

Alexandr_P — Tue, 04 Aug 2015 17:35:00 GMT

What switch and what version of EXOS do you have?

RE: How do I configure an access list to allow only one IP through ingress port?

Anonymous — Tue, 04 Aug 2015 17:35:00 GMT

ExtremeXOS version 15.2.2.7
Summit X250e-24p

RE: How do I configure an access list to allow only one IP through ingress port?

BrandonC — Tue, 04 Aug 2015 17:35:00 GMT

Hi Ashish,

Does the host have an ARP entry for the default gateway? I suspect that this ACL is blocking ARP, since there is no IP header in an ARP packet. You could either switch to matching on the MAC address of the host, or add another entry to the ACL to permit ARP.

-Brandon

RE: How do I configure an access list to allow only one IP through ingress port?

Drew_C — Tue, 04 Aug 2015 17:35:00 GMT

Also, don't forget to permit the case where the destination IP is that of the host.

RE: How do I configure an access list to allow only one IP through ingress port?

Patrick_Voss — Tue, 04 Aug 2015 20:21:00 GMT

Hi Ashish,

What AlexandrP said is corrrect except there should be another entry in there above the second if. Like so:

entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
}

entry iprule2 {
if {
}
then {
deny;
}
}

Just incase this helps here is a article written for ACL's

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS

You can place multiple entries in one policy but it will only trigger on one of them. This means that the order is important because it goes from top to bottom.

RE: How do I configure an access list to allow only one IP through ingress port?

Prashanth_KG — Wed, 05 Aug 2015 05:33:00 GMT

Hi Ashish,

I agree with the discussion above. We need to add separate entries to permit or deny the rest of the traffic. The rule1 above only matches the source IP address. So, the ARP packets could be dropped. If this is the only IP address that you would like to allow, the following ACL could be considered.

entry iprule1 {
if {
source-address 10.1.2.246/32 ;
}
then {
permit ;
}
}

entry iprule2 {
if {
arp-sender-address 10.1.2.246/32;
}
then {
permit;
}
}

entry iprule3 {
if {
}
then {
deny;
}
}

If you want to allow ARP packets in general, the rule2 could be modified as below:

entry iprule2 {
if {
ethernet-type 0x0806;
}
then {
permit;
}
}

Hope this helps!

RE: How do I configure an access list to allow only one IP through ingress port?

Anonymous — Wed, 05 Aug 2015 05:33:00 GMT

This solution works perfectly!!!!!

Thankyou Mr.Prashant and everyone for your guidance 🙂