topic RE: match any / match all in ExtremeSwitching (EXOS/Switch Engine)

match any / match all

EtherNation_Use — Wed, 08 Jan 2014 06:03:00 GMT

Create Date: Jun 21 2013 1:00PM

Hi,

I am trying to setup an acl permitting a bunch of open ports. I tried this but failed:

entry openports {
if {
protocol tcp ;
if match any {
destination-port 1094 - 1095;
destination-port 2811-2812,4823,6000-6999,8443,22128,50000-52000,56000-56999,60000-61000;
destination-port 4823;
destination-port 6000-6999;
destination-port 8443;
destination-port 22128;
destination-port 50000-52000;
destination-port 56000-56999;
destination-port 60000-61000;
}
} then {
permit ;
}
}

First of all, I could not find in the documentation any detailed explanation how if match all/any work, though they are present in examples. Google returned only http://dataplumber.wordpress.com/category/exos/. Anyone can provide some pointers please?

Secondly, other than specifying separate acl entries for every differet port/port range, is there another way to achieve this? Preferably an one line syntax where I can just put all my ports/port ranges.

Cheers, (from dzila)

RE: match any / match all

EtherNation_Use — Wed, 08 Jan 2014 06:03:00 GMT

Create Date: Jun 21 2013 6:06PM

I don't think EXOS allows nested IFs,
both "if match all" and "if" have the same meaning, they test all the conditions with AND logical operator. The "if match any" tests all conditions with OR logical operator

I think you can achieve what you want by doing:

entry openports {
if {
protocol tcp;
destination-port 1094-1095,2811-2812,4823,6000-6999,8443,22128,50000-52000,56000-56999,60000-61000;
} then {
permit;
}
}

also don't forget to deny the packets that do not match the entry above:

entry DenyAll {
if {
} then {
deny;
}
}

P.S. I don't know if you can use multiple ranges in the "destination-port" condition, you might have to build one entire entry for each range

(from Luis_Coelho)

RE: match any / match all

EtherNation_Use — Wed, 08 Jan 2014 06:03:00 GMT

Create Date: Jun 22 2013 12:36PM

i can't get multiple ports or multiple ranges to work on one line.

hence i ended up writing this.

https://conradjonesit.wordpress.com/2...

I can't help thinking i missing something obvious though and this should be easier?

(btw if you want to use the program, my local version is problem newer with less bugs, i'll upload it at somepoint) (from Conrad_Jones)

RE: match any / match all

EtherNation_Use — Wed, 08 Jan 2014 06:03:00 GMT

Create Date: Jun 25 2013 12:59PM

Thank you all for your replies. Using separate entries for every port/range is the way to go. (from dzila)