This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL best practices (one file with multiple entry or many files with single entry)

ACL best practices (one file with multiple entry or many files with single entry)

eyeV
New Contributor III

‎05-21-2014 05:46 AM

Hi everybody.
I want to add two access profiles to VLAN. For example

First
entry block-in-abonvlan {
if match any {
ethernet-type 0x8863;
ethernet-type 0x8864;
}
then {
permit;
}
}

entry deny (
if {
}
then {
deny;
}
}

Second
entry BCAST {
if {
ethernet-destination-address ff:ff:ff:ff:ff:ff;
}
then {
count broadcast;
}
}

entry ACTION {
if {
count broadcast > 10000;
period 10 ;
}
then {
syslog "It's probably a broadcast storm... Rule $ruleName $ruleValue exceeds limit $ruleThreshold" WARN 120;
}
}

What is the best way to do this?
  • Two .pol files and two conf access-list command.
  • Join this .pol files to one file.

0 Kudos
6 REPLIES 6

eyeV
New Contributor III

‎05-21-2014 12:21 PM

Thanks.
0 Kudos

Sumit_Tokle
Contributor

‎05-21-2014 12:21 PM

Please read the section "ACL Evaluation Precedence" under the ACL chapter in EXOS 15.4 concept guide, page # 701.
0 Kudos

eyeV
New Contributor III

‎05-21-2014 12:21 PM

If you have two policies it gets tricky to determine which policy to run first.
By the way, how can I determine this order?
0 Kudos

Paul_Russo
Extreme Employee

‎05-21-2014 12:21 PM

Hey eyeV I agree with Sumit having one policy is always best because the order of the entries will determine how they are executed. If you have two policies it gets tricky to determine which policy to run first.

Hope that helps.
P
GTM-P2G8KFN