This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

convert cisco acl in to extreme summit X440

convert cisco acl in to extreme summit X440

zain_mallick
New Contributor

‎04-19-2016 02:46 AM

access-list 10 permit 172.16.66.246
access-list 10 permit 172.16.66.241
access-list 10 permit 172.16.72.110
access-list 10 permit 172.16.72.84
access-list 10 permit 172.168.202.100
access-list 10 permit 172.16.72.17

this is cisco code and i want this code in extreme X440...plz guide me and give me a code in detail.

0 Kudos
19 REPLIES 19

Henrique
Extreme Employee
In response to Erik_Auerswald

‎04-19-2016 07:48 AM

Hi Erik, good point. Thanks for that.

I forgot to mention that it's necessary to permit some traffic etypes before the deny all rule to allow protocols like ARP/DNS/DHCP. Also other L2 protocol frames that you mentioned.

Thanks again. 🙂

0 Kudos

Erik_Auerswald
Contributor II
In response to Erik_Auerswald

‎04-19-2016 07:48 AM

Hello Henrique,

you need to be careful with the empty match statement!

The empty match statement matches any layer two frame (if the ACL is applied inbound). The IOS IPv4 ACL matches IPv4 packets only. At least this means different behaviour between IOS and EXOS. At worst it can break EAPS, ERPS, STP, LACP, ... and thus the network.

Erik
0 Kudos

Henrique
Extreme Employee
In response to Erik_Auerswald

‎04-19-2016 07:48 AM

Hi, just an observation:

For ingress ACL deny all rule you can skip (source-address 0.0.0.0/0).

That's mandatory only when using deny_all ACL for egress.

That means:

Deny All Ingress Rule:

entry deny_all_ingress {
if {
} then {
deny;
}
}

Deny All Egress Rule:

entry deny_all_egress {
if {
source-address 0.0.0.0/0
} then {
deny;
}
}
0 Kudos

Anonymous
Not applicable

‎04-19-2016 07:26 AM

Never tried it, or know how useful it would be in this situation but there is a module you can install that allows you to put Cisco like commands into EXOS:

https://gtacknowledge.extremenetworks.com/articles/How_To/Cisco-commands-configuration-in-Extreme-de...

0 Kudos

Kawawa
Extreme Employee

‎04-19-2016 06:12 AM

Extreme ACLs take on the following form
entry { if {condition ; } then {action ; }}for example
entry ACL-1 { if source-address 172.16.66.246 ; } then { permit ; } }The following article contains more details including additional match conditions: How to create and apply an ACL in EXOS
0 Kudos
GTM-P2G8KFN