topic RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help. in Network Architecture & Design

Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Arison_Mercado — Tue, 19 May 2015 21:51:00 GMT

Hi Everyone,

I'm trying to create and apply a ACL to a vlan on my switch but when I run the commands it says it doesn't exist.

1. I created the policy by entering: vi PBR_DEFAULTROUTE.pol
I enter a simple a entry and entered :wq! to save. successfully.

2. I typed in ls and it is listed under my files.

-rw-rw-rw- 1 root 0 932 May 19 12:39 PBR_DEFAULTROUTE.pol

3. Saved config on switch

4. I entered check policy PBR_DEFAULTROUTE.pol

# check policy PBR_DEFAULTROUTE.pol
Error: Policy PBR_DEFAULTROUTE.pol does not exist on file

5. Attempt to apply to VLAN

# configure access-list PBR_DEFAULTROUTE.pol vlan "Test_ACL" ingress

.Error: ACL policy PBR_DEFAULTROUTE.pol not found
Configuration failed on backup Node, command execution aborted!

Below is my original post on what I'm trying to accomplish but for this one I'm trying to enable this VLAN.

https://community.extremenetworks.com/extreme/topics/i-need-one-device-to-have-a-specific-ip-default...

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Hernandez__Josh — Tue, 19 May 2015 21:53:00 GMT

Arison,

You should not have to enter the policy name with .pol extension. Try it with just the policy name and no extension

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Jeremy_Thornton — Tue, 19 May 2015 22:08:00 GMT

Try using this command edit policy PBR_DEFAULTROUTE. Even if the policy does not already exist, it will create it for you.... and like Josh said, you don't need to use the file extension when applying or modifying, it is implied. You only need to use the file extension when manipulating it within the file structure, i.e. copying to a tftp destination.

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Arison_Mercado — Tue, 19 May 2015 22:08:00 GMT

I did both ways and both indicated that the file is not found, Im at a lost on why this is happening. Here are my logs

05/19/2015 13:16:12.40 Slot-1: Policy /config/PBR_DEFAULTROUTE.pol.pol does not exist on file system.

05/19/2015 13:14:52.65 Slot-1: 172.17.57.56 (telnet) admin: edit policy PBR_DEFAULTROUTE

05/19/2015 13:14:32.26 Slot-1: 172.17.x.x(telnet) admin: rm pbr_defaultroute.pol
05/19/2015 13:13:40.08 Slot-1: 172.17.x.x (telnet) admin: configure access-list pbr_defaultroute.pol vlan "Test_ACL" ingress

05/19/2015 13:13:27.25 Slot-2: Policy /config/pbr_defaultroute.pol.pol does not exist on file system.

05/19/2015 13:12:55.23 Slot-1: Policy /config/pbr_defaultroute.pol.pol does not exist on file system.

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Jeremy_Thornton — Tue, 19 May 2015 22:08:00 GMT

It looks like you're still trying to apply the policy using the file extension (.pol). Leave that part out, it is implied.

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Jeremy_Thornton — Tue, 19 May 2015 22:08:00 GMT

Also, It looks like you deleted the file before applying it. The file extension is used when manipulating the file system... like when you used the rm (remove) command. Then you tried to apply it using the file system extension... see in the log where it tried to add pbr_defaulteroute.pol.pol? So edit policy PBR_DEFAULTROUTE. Then apply it without using the file extension and don't delete it before trying to apply...

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Arison_Mercado — Tue, 19 May 2015 22:08:00 GMT

Ok, so the problem was I was adding the .pol when applying the file to the VLAN. Now my new error message is this "Error: Policy PBR_DEFAULT has syntax errors
Line 15 : Too many arguments from "/"

All I want to do is route traffic from a private vlan to another firewall and not allow anyone on my network access it. We're just going to host someones equipment on our site. Also please note we have a dedicated VLAN for the customer and again I dont want anyone pinging to it as well as have them redirect to their firewall and not out default route. Sorry I come from a cisco background and scripting is not my forte

##### Redirect default route entry

entry PBR {if match all {
source-address 192.168.2.0/24;
destination-address 0.0.0.0/0;
}

then {
redirect 192.168.2.100/32;
}
}

###### Deny internal Network to customer VLAN

entry rule1 {If match all {
source-address 172.16.0.0/16;
destination-address 192.168.2.0/24;
}
then {
deny ;
count RULE1-COUNT ;
}
}

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Jeremy_Thornton — Tue, 19 May 2015 22:08:00 GMT

Ok, good deal. You don't have to add the CIDR when specifying the redict destination.. so you can remove the /32 from 192.168.2.100.

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Arison_Mercado — Tue, 19 May 2015 22:08:00 GMT

Jeremy,

thanks for your help, I've applied the ACL as you described and I'm able to ping their network address's as well as there Firewall. I just can't get the redirect to point to their default gateway. Is there anything that I could be missing?

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Jeremy_Thornton — Tue, 19 May 2015 22:08:00 GMT

Let me take a look at one of my pbr's and compare. This is being applied inbound on the VLAN for 192.168.2.0/27, right?

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Prashanth_KG — Tue, 19 May 2015 22:08:00 GMT

Hi Arison,

Re-direct using an IP within a VLAN may not be possible. You could consider redirect-port .

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Prashanth_KG — Tue, 19 May 2015 22:08:00 GMT

Policy could be modified as below:

entry PBR {if match all {
source-address 192.168.2.0/24;
destination-address 0.0.0.0/0;
}

then {
redirect-port ;
}
}

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Jeremy_Thornton — Tue, 19 May 2015 22:08:00 GMT

Yep, looks like my PBR's ar all to different VLANs. I re-read your problem and I am wondering why the firewall is not the def gw? You may have explained it, I just missed it.

RE: Basic ACL: Switch says ACL doesn't exist when I created it, please help.

Zelnosky__Kevin — Wed, 03 Jun 2015 23:08:00 GMT

I helped assist Arison with this through a GTAC case. The reason why he cannot set the default gateway on the switch as the firewall, is that this is a remote hosting situation.

The end user is accessing servers on Arison's network, so he wanted all traffic related to the end user subnet to be redirected to the end user firewall.

The redirect ACL was always working, but it turns out the end user had a setting on their firewall that would deny traffic to the internet from any device without anti-virus. After this setting was disabled, the test was successful.