This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Basic Policy Based ACL

Basic Policy Based ACL

Mark_Lamond
New Contributor III

‎04-24-2017 01:17 PM

Hi there,
Can anyone explain to my why this basic ACL policy does not work?
This is using XOS 22.2.15 on an X450-G2.

I want to emulate Cisco behaviour of permitting what I want with an deny at the bottom.

# Permit
entry 1.1 { if { source-address 192.168.132.0/26; destination-address 192.168.249.202/32;} then { permit; count Permit;}}

# Deny Everything Else
entry 2.1 { if {} then { deny; count Deny;}}

The access list is applied to a VLAN as follows:

configure access-list Test vlan "Data" ingress

It seems to drop all packets, I thought policies were supposed to process top down with packets until they get a match?

Thanks,
Mark

0 Kudos
14 REPLIES 14

Mark_Lamond
New Contributor III

‎04-25-2017 07:07 AM

Thanks for the replies folks, now working as expected and making a lot more sense.

We use a lot of ACL's and are moving from Enterasys/Cisco to Extreme so a lot to learn.

Thanks,
Mark

0 Kudos

Erik_Auerswald
Contributor II

‎04-25-2017 04:56 AM

Hi,

if you want to emulate an IPv4 router ACL, you should use a deny statement that denies IPv4 packets only:

entry 2.1 { if {source-address 0.0.0.0/0;} then { deny; count Deny;}}

Otherwise you will have problems with e.g. ARP as mentioned by Jarek.

Thanks,
Erik
0 Kudos

Jarek
New Contributor II

‎04-24-2017 01:40 PM

Hi,

the last ACL, will block all traffic including ARP, etc. on vlan ingress.
You should for example add before the last entry:

entry ARP { if match all { ethernet-type 0x0806 ;
} then {
permit ;
} }

and so on...

--
Jarek
0 Kudos

Nick_Yakimenko
New Contributor II

‎04-24-2017 01:30 PM

if match any
0 Kudos
Top
GTM-P2G8KFN