This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL, how to invert match condition

ACL, how to invert match condition

EtherNation_Use
Contributor II

‎01-07-2014 09:53 PM

Create Date: Jun 19 2012 4:48AM

Is it possible to invert a match condition with an ACL?
E.g. I want to deny packets which are not coming from a specific IP address:
code:
  entry denyExample {
     if {
       source-address NOT 1.2.3.4/32 ;
       more match conditions ;
     } then {
       deny ;
     }
   }
Is this missing in the XOS software, or is this a deficit with the hardware?

(from Hans-Werner_Paulsen )
0 Kudos
2 REPLIES 2

EtherNation_Use
Contributor II

‎01-07-2014 09:53 PM

Create Date: Jun 19 2012 5:46AM

If there is only ONE match condition, and ONE rule in the policy file, then one can simply reverse the logic. If you have more conditions this will not work.

(from Hans-Werner_Paulsen)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 09:53 PM

Create Date: Jun 19 2012 5:13AM

I wouldn't claim to be an expert but wouldn't you just reverse the logic and permit traffic from the addresses?

As far as I am aware, while the default action for an *entry* is to permit, the default action for an ACL is to deny that which hasn't been matched. (from David_Rickard)
0 Kudos
GTM-P2G8KFN