Basic Policy Based ACL
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-24-2017 01:17 PM
Hi there,
Can anyone explain to my why this basic ACL policy does not work?
This is using XOS 22.2.15 on an X450-G2.
I want to emulate Cisco behaviour of permitting what I want with an deny at the bottom.
# Permit
entry 1.1 { if { source-address 192.168.132.0/26; destination-address 192.168.249.202/32;} then { permit; count Permit;}}
# Deny Everything Else
entry 2.1 { if {} then { deny; count Deny;}}
The access list is applied to a VLAN as follows:
configure access-list Test vlan "Data" ingress
It seems to drop all packets, I thought policies were supposed to process top down with packets until they get a match?
Thanks,
Mark
Can anyone explain to my why this basic ACL policy does not work?
This is using XOS 22.2.15 on an X450-G2.
I want to emulate Cisco behaviour of permitting what I want with an deny at the bottom.
# Permit
entry 1.1 { if { source-address 192.168.132.0/26; destination-address 192.168.249.202/32;} then { permit; count Permit;}}
# Deny Everything Else
entry 2.1 { if {} then { deny; count Deny;}}
The access list is applied to a VLAN as follows:
configure access-list Test vlan "Data" ingress
It seems to drop all packets, I thought policies were supposed to process top down with packets until they get a match?
Thanks,
Mark
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-25-2017 07:22 AM
That is a very good idea, but it does not work as expected
Line 3 : Failed argument value 49 is invalid
First of all, first argument should be
nlri any-ipv6/49
Secondly, I tried to filter-out a /48 announces from uplink, so I modified first argument to a /47
Did a policy-refresh
Tried to disable and then re-enable the bgp-session, but still I can see /48 announcements from an uplink.
Line 3 : Failed argument value 49 is invalid
First of all, first argument should be
nlri any-ipv6/49
Secondly, I tried to filter-out a /48 announces from uplink, so I modified first argument to a /47
Did a policy-refresh
Tried to disable and then re-enable the bgp-session, but still I can see /48 announcements from an uplink.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-25-2017 07:22 AM
Hi Nick,
first a disclaimer: I did not test that my routing policies above really work...
My understanding is that "nlri any/X" without "exact" matches on any network with a prefix length of X or longer. Thus you can compose the policy to first deny the too-long prefixes, then allow the accepted prefix length range, and then deny anything not yet matched.
Example:
entry all_ipv6_05 { if { nlri any/49 } then { deny } } entry all_ipv6_10 { if { nlri any/20 } then { permit } } entry ipv6_out_15 { if { nlri any/0 } then { permit } } That method should work for IPv4 as well.
Thanks,
Erik
first a disclaimer: I did not test that my routing policies above really work...
My understanding is that "nlri any/X" without "exact" matches on any network with a prefix length of X or longer. Thus you can compose the policy to first deny the too-long prefixes, then allow the accepted prefix length range, and then deny anything not yet matched.
Example:
entry all_ipv6_05 { if { nlri any/49 } then { deny } } entry all_ipv6_10 { if { nlri any/20 } then { permit } } entry ipv6_out_15 { if { nlri any/0 } then { permit } } That method should work for IPv4 as well.
Thanks,
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-25-2017 07:22 AM
Thanks for reply
What about this one?
ipv6 prefix-list allv6 seq 10 permit ::/0 ge 20 le 48
the eqivalent to v4 we use is
ip prefix-list all seq 10 permit 0.0.0.0/0 ge 8 le 24
extreme-style is
entry bgp-min24-00 {
if match any {
nlri any/9 exact ;
nlri any/10 exact ;
nlri any/11 exact ;
nlri any/12 exact ;
nlri any/13 exact ;
nlri any/14 exact ;
nlri any/15 exact ;
nlri any/16 exact ;
nlri any/17 exact ;
nlri any/18 exact ;
nlri any/19 exact ;
nlri any/20 exact ;
nlri any/21 exact ;
nlri any/22 exact ;
nlri any/23 exact ;
nlri any/24 exact ;
}
then {
local-preference 130 ;
community add "65535:65535" ;
permit ;
}
}
entry bgp-min24-01 {
if match any {
nlri any/1 exact;
nlri any/2 exact;
nlri any/3 exact;
nlri any/4 exact;
nlri any/5 exact;
nlri any/6 exact;
nlri any/7 exact;
nlri any/8 exact;
nlri any/25 exact ;
nlri any/26 exact ;
nlri any/27 exact ;
nlri any/28 exact ;
nlri any/29 exact ;
nlri any/30 exact ;
nlri any/31 exact ;
nlri any/32 exact ;
}
then {
deny ;
}
}
What about this one?
ipv6 prefix-list allv6 seq 10 permit ::/0 ge 20 le 48
the eqivalent to v4 we use is
ip prefix-list all seq 10 permit 0.0.0.0/0 ge 8 le 24
extreme-style is
entry bgp-min24-00 {
if match any {
nlri any/9 exact ;
nlri any/10 exact ;
nlri any/11 exact ;
nlri any/12 exact ;
nlri any/13 exact ;
nlri any/14 exact ;
nlri any/15 exact ;
nlri any/16 exact ;
nlri any/17 exact ;
nlri any/18 exact ;
nlri any/19 exact ;
nlri any/20 exact ;
nlri any/21 exact ;
nlri any/22 exact ;
nlri any/23 exact ;
nlri any/24 exact ;
}
then {
local-preference 130 ;
community add "65535:65535" ;
permit ;
}
}
entry bgp-min24-01 {
if match any {
nlri any/1 exact;
nlri any/2 exact;
nlri any/3 exact;
nlri any/4 exact;
nlri any/5 exact;
nlri any/6 exact;
nlri any/7 exact;
nlri any/8 exact;
nlri any/25 exact ;
nlri any/26 exact ;
nlri any/27 exact ;
nlri any/28 exact ;
nlri any/29 exact ;
nlri any/30 exact ;
nlri any/31 exact ;
nlri any/32 exact ;
}
then {
deny ;
}
}
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-25-2017 07:22 AM
Hi Nick,
a prefix list is not an access control list...  On EXOS, routing policies use .pol files just like ACLs, but they use different match statements and actions. They even have their own chapter in the documentation, Routing Policies.
Anyway, the EXOS equivalent to your IOS prefix list line is:
entry ipv6_out_05 { if { nlri 2001:db8::/49 } then { deny } } entry ipv6_out_10 { if { nlri 2001:db8::/32 } then { permit } }You can use the exact keyword after the subnet specification to require an exact match, instead of accepting all longer prefixes.
Thanks,
Erik
a prefix list is not an access control list...  On EXOS, routing policies use .pol files just like ACLs, but they use different match statements and actions. They even have their own chapter in the documentation, Routing Policies.
Anyway, the EXOS equivalent to your IOS prefix list line is:
entry ipv6_out_05 { if { nlri 2001:db8::/49 } then { deny } } entry ipv6_out_10 { if { nlri 2001:db8::/32 } then { permit } }You can use the exact keyword after the subnet specification to require an exact match, instead of accepting all longer prefixes.
Thanks,
Erik
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-25-2017 07:22 AM
I'm trying to make a policy from this cisco line
ipv6 prefix-list ipv6_out seq 10 permit 2001:db8::/32 le 48
and it does not seem to work:
entry acl_prefix-list_1 { if {
} then {
permit ;
}
}
ipv6 prefix-list ipv6_out seq 10 permit 2001:db8::/32 le 48
and it does not seem to work:
entry acl_prefix-list_1 { if {
} then {
permit ;
}
}
