https://community.extremenetworks.com/t5/extremewireless-general/i-have-multiple-vlans-where-i-want-to-allow-routing-all-vlans-to/m-p/32285#M895 I think I sorted it out in the thread that I started - the problem seems to be that denying via<BR /> if match all {<BR /> } then {<BR /> deny<BR /> }<BR /> truly matches everything - every protocol, every port, every address, and especially every ARP.<BR /> It also appears that it means that a "deny" rule like that also matches previously "accept"ed packets (because of the ARP test?)<BR /> Lesson learned: don't deny all like this, deny all in a more specific matter <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /> <BR /> (I don't know if that was the intended behavior of "match all {}", but that's how it seems to play out.)<BR /> <BR /> Jarek helped me out with that in this thread: <A href="https://community.extremenetworks.com/extreme/topics/access_list_policy_and_selective_routing_between_vlans_in_a_vr" target="_blank" rel="nofollow noreferrer noopener">https://community.extremenetworks.com/extreme/topics/access_list_policy_and_selective_routing_betwee...</A><BR /> <BR /> Tue, 15 Apr 2014 14:13:00 GMT Frank 2014-04-15T14:13:00Z https://community.extremenetworks.com/t5/extremewireless-general/i-have-multiple-vlans-where-i-want-to-allow-routing-all-vlans-to/m-p/32282#M892 Try this part:<BR /> <BR /> ...<BR /> entry EverythingElse { <BR /> if match all { <BR /> <B>source-address 0.0.0.0/0;</B><BR /> }<BR /> then {<BR /> deny ;<BR /> count Deny;<BR /> }<BR /> }<BR /> <BR /> I just finished fighting a similar issue. Without specifying "source anywhere", it denies <I>everything</I>.<BR /> <BR /> In my case I have multiple VLANs where I want to allow routing all VLANs to/from one particular special VLAN, but I do <I>not</I> want to route traffic between the "normal" VLANs.<BR /> <BR /> I'll start a thread on that...<BR /> Note: This topic was created from a <A href="http://community.extremenetworks.com/extreme/topics/static_acl_question_block_traffic_vlan1_to_vlan2_with_exceptions-1ebmi6/replies/14104751" target="_blank" rel="nofollow noreferrer noopener">reply</A> on the <A href="http://community.extremenetworks.com/extreme/topics/static_acl_question_block_traffic_vlan1_to_vlan2_with_exceptions-1ebmi6" target="_blank" rel="nofollow noreferrer noopener">static ACL question - block traffic vlan1 to vlan2 with exceptions</A> topic. Fri, 04 Apr 2014 20:47:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/i-have-multiple-vlans-where-i-want-to-allow-routing-all-vlans-to/m-p/32282#M892 Frank 2014-04-04T20:47:00Z https://community.extremenetworks.com/t5/extremewireless-general/i-have-multiple-vlans-where-i-want-to-allow-routing-all-vlans-to/m-p/32283#M893 Hi Frank, I thought I would start this thread for you to see if anyone might be able to give you some advice. Have a great day! Tue, 15 Apr 2014 01:59:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/i-have-multiple-vlans-where-i-want-to-allow-routing-all-vlans-to/m-p/32283#M893 Tamera_Rousseau 2014-04-15T01:59:00Z https://community.extremenetworks.com/t5/extremewireless-general/i-have-multiple-vlans-where-i-want-to-allow-routing-all-vlans-to/m-p/32284#M894 Hello Frank<BR /> <BR /> The ACLs in XOS have a implicit permit not a implicit deny so adding your final entry is needed to make sure that all traffic is dropped unless it is explicitly permitted in the other entries.<BR /> <BR /> Not sure if that is answering your question so if you can provide more information we can look it over.<BR /> <BR /> Thanks<BR /> P<BR /> Tue, 15 Apr 2014 02:19:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/i-have-multiple-vlans-where-i-want-to-allow-routing-all-vlans-to/m-p/32284#M894 Paul_Russo 2014-04-15T02:19:00Z https://community.extremenetworks.com/t5/extremewireless-general/i-have-multiple-vlans-where-i-want-to-allow-routing-all-vlans-to/m-p/32285#M895 I think I sorted it out in the thread that I started - the problem seems to be that denying via<BR /> if match all {<BR /> } then {<BR /> deny<BR /> }<BR /> truly matches everything - every protocol, every port, every address, and especially every ARP.<BR /> It also appears that it means that a "deny" rule like that also matches previously "accept"ed packets (because of the ARP test?)<BR /> Lesson learned: don't deny all like this, deny all in a more specific matter <span class="lia-unicode-emoji" title=":winking_face:">😉</span><BR /> <BR /> (I don't know if that was the intended behavior of "match all {}", but that's how it seems to play out.)<BR /> <BR /> Jarek helped me out with that in this thread: <A href="https://community.extremenetworks.com/extreme/topics/access_list_policy_and_selective_routing_between_vlans_in_a_vr" target="_blank" rel="nofollow noreferrer noopener">https://community.extremenetworks.com/extreme/topics/access_list_policy_and_selective_routing_betwee...</A><BR /> <BR /> Tue, 15 Apr 2014 14:13:00 GMT https://community.extremenetworks.com/t5/extremewireless-general/i-have-multiple-vlans-where-i-want-to-allow-routing-all-vlans-to/m-p/32285#M895 Frank 2014-04-15T14:13:00Z