topic RE: Dynamic ACL Application in ExtremeSwitching (Other)

Dynamic ACL Application

Freiu — Fri, 30 Jan 2015 18:40:00 GMT

Hello,
i am working with dynamic ACLs and i have multiple ACLs for applications like RDP, HTTP, HTTPS is there any way i can reduce the number of lines in the following ACLs or i can specify multiple port numbers in one line. so i can reduce my configuration.
create access-list HTTP-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 80" "count HTTP;permit"
create access-list HTTPS-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 443" "count HTTPS;permit"
create access-list SSH-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 22" "count SSH;permit"

configure access-list add HTTP-IN first vlan "V67_Server" ingress
configure access-list add HTTPS-IN last vlan "V67_Server" ingress
configure access-list add SSH-IN last vlan "V67_Server" ingress

RE: Dynamic ACL Application

Paul_Russo — Fri, 30 Jan 2015 21:36:00 GMT

Hello Freiu

You can add port ranges that may help in what you are trying to do

"You can specify multiple, single, or zero match conditions. If you do not specify a match condition, all"
"packets match the rule entry. Commonly used match conditions are:"
"• ethernet-source-address mac-address mask—Ethernet source address"
"• ethernet-destination-address mac-address mask—Ethernet destination address and mask"
"• source-address prefix—IP source address and mask"
"• destination-address prefix—IP destination address and mask"
"• source-port [port|range]—TCP or UDP source port range"
"• destination-port [port|range]—TCP or UDP destination port range"

By adding those ACLs using the CLI and the create access-list command those ACLs are what we call Dynamic. Another way to do the ACLs is to use a policy file with all of the statements in the file and then you can apply that file as an ACL to the port or VLAN. There is a great writeup on ACLs in the user guide. In 15.6 version it is chapter 22

I hope that helps

P

RE: Dynamic ACL Application

Freiu — Fri, 30 Jan 2015 21:58:00 GMT

Hi Paul,
Thankyou for your reply, we cannot use policy files so have to do it with dynamic ACLs. for port ranges the range has to be continous like [source-port 23-27] but in my case i have specific ports that are not continuos like for FTP,SMTP,HTTP,RDP. what can i do in this case?

RE: Dynamic ACL Application

Paul_Russo — Fri, 30 Jan 2015 23:29:00 GMT

Hello Freiu

I am sorry but I do not believe you can do multiple port values on the same line for example destination-port 80;22;443.

The way the ACL works everything in the If part of the statement or the conditions is either match all or match any so think of it as everything is "and" or "or" so in this case the packet would have to have all three ports values. If it is an "or" you could do destination-port 23; destination-port 443; destination port 80. The ACL will do an "or" on each statement. In this case you wouldn't be able to do subnet 10.10.10.0 and destination-port or destination-port.

So there is no option for having an "and" and "or" statement in the same ACL.

I hope this is clear

P

RE: Dynamic ACL Application

Freiu — Fri, 30 Jan 2015 23:29:00 GMT

Hi Paul,
are Network Zones supported in Dynamic ACLs?

create access-list TestCompressedout "destination-zone zone1;source-port 80" "count HTTP;permit"

RE: Dynamic ACL Application

Paul_Russo — Fri, 30 Jan 2015 23:29:00 GMT

Hey Freiu

No I don't believe source-zones and destination-zones are not supported in dynamic ACLs.

When I try and execute a dynamic ACL with a zone it errors out.

P

RE: Dynamic ACL Application

Freiu — Tue, 03 Feb 2015 16:39:00 GMT

Paul, Thanks for your help!!