Extreme Networks

I'm new to Extreme core switches, I've used their edge products for years but usually in one off iSCSI deployments or more recently for limited AVB deployments.

We're replacing our HP Procurve cores with 8810s and I 'd like someone to take a quick look at this ACL I'm converting and point out anything I'm missing, this is my first time dealing with Extreme's ACL usage.

We have a learning center that needs access to internal DNS, KMS and then access to the internet, while blocking access to all other internal corporate resources.

Here's the HP ACL:
ip access-list extended "100"
10 permit tcp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 eq 1688 10 remark "Allow LC to KMS server on DC2" 20 permit tcp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 20 remark "Allow LC to tcp DNS on DC1" 30 permit udp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 eq 53 30 remark "Allow LC to udp DNS on DC1" 40 permit icmp 172.17.0.0 0.0.255.255 172.16.5.40 0.0.0.0 40 remark "Allow ping to DC2 LC" 50 permit icmp 172.17.0.0 0.0.255.255 172.16.5.55 0.0.0.0 50 remark "Allow ping to DC1 from LC" 60 permit ip 172.17.0.0 0.0.255.255 172.16.0.249 0.0.0.0 60 remark "Allow LC to Fortigate internal" 80 deny ip 172.17.0.0 0.0.255.255 172.16.0.0 0.0.255.255 80 remark "Block LC from local corp network" 90 deny ip 172.17.0.0 0.0.255.255 10.0.0.0 0.255.255.255 90 remark "Block LC from remote corp networks" 110 permit ip 172.17.0.0 0.0.255.255 0.0.0.0 255.255.255.255 110 remark "Allow LC out to the internet" exit
and here's the Extreme version, which is think is right:

entry permit_ICMP_dc1 { if match all { source-address 172.17.0.0/16; protocol ICMP; destination-address 172.16.5.55/32; } then { permit; } } entry permit_ICMP_dc2 { if match all { source-address 172.17.0.0/16; protocol ICMP; destination-address 172.16.5.40/32; } then { permit; } } entry permit_TCPDNS_dc1 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.55/32; destination-port 53; } then { permit; } } entry permit_TCPDNS_dc2 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.40/32; destination-port 53; } then { permit; } } entry permit_UDPDNS_dc1 { if match all { source-address 172.17.0.0/16; protocol UDP; destination-address 172.16.5.55/32; destination-port 53; } then { permit; } } entry permit_UDPDNS_dc2 { if match all { source-address 172.17.0.0/16; protocol UDP; destination-address 172.16.5.40/32; destination-port 53; } then { permit; } } entry permit_KMS_dc2 { if match all { source-address 172.17.0.0/16; protocol TCP; destination-address 172.16.5.40/32; destination-port 1688; } then { permit; } } entry permit_IP_FG600C { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 172.16.0.249/32; } then { permit; } } entry deny_LC_localcorp { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 172.16.0.0/16; } then { deny; } } entry deny_LC_remotecorp { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 10.0.0.0/8; } then { deny; } } entry permit_LC_internet { if match all { source-address 172.17.0.0/16; protocol IP; destination-address 0.0.0.0/0; } then { permit; } }
Did I miss anything? Will this work ok?

Thanks!