This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
creating acl
creating acl
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-23-2015 07:33 PM
Hello everyone,
I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.
edit policy acl_input
entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}
entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}
The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.
please, how can i created this acl?
tks
I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.
edit policy acl_input
entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}
entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}
The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.
please, how can i created this acl?
tks
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-24-2015 09:21 AM
the policy you have above should block the whole network from /8 to /32.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-24-2015 09:21 AM
Hi Annas,
I'm applying this on specific vlan and mode ingress.
it's really Annas, i made a mistake that. i've swapped and work fine until now.
Thank you for looking this wrong.
Other thing, about creating routing policy like prefix-list at Cisco for instance below;
ip prefix-list TESTE seq 10 permit/deny 10.10.0.0/8 le 32
At Extreme i can do it like below;
as_65000-IN.pol
entry politic_input {
if {
nrli 10.10.0.0/8;
}
then {
permit/deny;
}
In this rule i mean to block the network 10.10.0.0/8, but i need block whole network from /8 until /32, please how can i to do it on Extreme?
tks
I'm applying this on specific vlan and mode ingress.
it's really Annas, i made a mistake that. i've swapped and work fine until now.
Thank you for looking this wrong.
Other thing, about creating routing policy like prefix-list at Cisco for instance below;
ip prefix-list TESTE seq 10 permit/deny 10.10.0.0/8 le 32
At Extreme i can do it like below;
as_65000-IN.pol
entry politic_input {
if {
nrli 10.10.0.0/8;
}
then {
permit/deny;
}
In this rule i mean to block the network 10.10.0.0/8, but i need block whole network from /8 until /32, please how can i to do it on Extreme?
tks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-24-2015 09:21 AM
Are you applying this ACL on a port or a VLAN? I am assuming you are applying it on the ingress? Also, if the IP address 192.168.3.10 "resides" inside your switch you probably need to swap the destination IP with the source IP (assuming you are applying the ACL on ingress).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-24-2015 09:21 AM
Hi Jarek,
I'm applying it on x460 where the ip address is 192.168.3.10, a few time later applied it i try connecting on the switch and i can't do that more, so i need logg in via console and disable this access-list, and so on, i'm able connecting them again.
Do you have any other ACL on the switch ?
No, i don't
In this acl, i'd like firstly permit a few ip address to connect on switch also establish bgp section, after permit i'd like block any attempt access not permit in toward of switch.
I'm applying it on x460 where the ip address is 192.168.3.10, a few time later applied it i try connecting on the switch and i can't do that more, so i need logg in via console and disable this access-list, and so on, i'm able connecting them again.
Do you have any other ACL on the switch ?
No, i don't
In this acl, i'd like firstly permit a few ip address to connect on switch also establish bgp section, after permit i'd like block any attempt access not permit in toward of switch.
