This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: acl issue Protocol needs to be set to TCP or U...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".
acl issue Protocol needs to be set to TCP or UDP, before setting "destination-port".
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2021 01:28 PM
I’m getting this error on an exos switch when trying to refresh a policy
Line 29 : Protocol needs to be set to TCP or UDP, before setting "destination-port".
Here’s an example what I added.
entry acl1_deny36 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.16/32; destination-port 80;} then { count acl1_http_deny; deny;}}
Here is an example of some lines that work:
entry acl1_deny28 { if { protocol udp; source-address 0.0.0.0/0; destination-address 10.80.2.28/32; destination-port snmp;} then { count acl1_snmp_deny; deny;}}
entry acl1_denyr1 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.4.0/24; destination-port 873;} then { count acl1_rsync_deny; deny;}}
Can anyone tell me why I can’t deny port 80 the same why I deny port 873 or snmp?
6 REPLIES 6
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2021 07:50 PM
Hey can I put comments in an acl file?
If so whats the escape character ?
Example
// Allow only IT access to idrac
entry (something defining IT) permit
entry (everyone else) deny
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2021 02:05 PM
I got it to work by putting my permit above the denies.
entry acl1_perm80 { if { protocol tcp; source-address 10.7.0.0/16; destination-address 0.0.0.0/0; destination-port 80;} then { permit;}}
entry acl1_deny36 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.16/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny37 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.17/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny38 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.18/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny39 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.19/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny40 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.20/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny41 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.21/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny42 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.22/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny43 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.23/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny44 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.24/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny45 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.25/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny46 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.26/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny47 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.27/32; destination-port 80;} then { count acl1_http_deny; deny;}}
entry acl1_deny48 { if { protocol tcp; source-address 0.0.0.0/0; destination-address 10.80.2.28/32; destination-port 80;} then { count acl1_http_deny; deny;}}
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2021 01:55 PM
oh shoot it was the bottom line to allow just IT subnet access to that device.
I pasted the whole group in and though it was the start of the newest line.
entry acl1_permit { if { protocol tcp; source-address 10.7.0.0/16; destination-address 0.0.0.0/0; destination-port 80;} then { permit;}}
It blocks it completely though. So the last permit is not allowed anyway. Though I’m RDPing so I dont know what the system sees me as, the pc i’m RDP’d to in that subnet, or my VPN IP address which is in the 192.168 range.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
07-26-2021 01:40 PM
That entry just works if I try it.
I think there is something else wrong in your policy.
Do a check policy <ACL> and see what it returns.
