creating acl
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-23-2015 07:33 PM
Hello everyone,
I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.
edit policy acl_input
entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}
entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}
The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.
please, how can i created this acl?
tks
I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.
edit policy acl_input
entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}
entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}
The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.
please, how can i created this acl?
tks
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
the policy you have above should block the whole network from /8 to /32.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Hi Annas,
I'm applying this on specific vlan and mode ingress.
it's really Annas, i made a mistake that. i've swapped and work fine until now.
Thank you for looking this wrong.
Other thing, about creating routing policy like prefix-list at Cisco for instance below;
ip prefix-list TESTE seq 10 permit/deny 10.10.0.0/8 le 32
At Extreme i can do it like below;
as_65000-IN.pol
entry politic_input {
if {
nrli 10.10.0.0/8;
}
then {
permit/deny;
}
In this rule i mean to block the network 10.10.0.0/8, but i need block whole network from /8 until /32, please how can i to do it on Extreme?
tks
I'm applying this on specific vlan and mode ingress.
it's really Annas, i made a mistake that. i've swapped and work fine until now.
Thank you for looking this wrong.
Other thing, about creating routing policy like prefix-list at Cisco for instance below;
ip prefix-list TESTE seq 10 permit/deny 10.10.0.0/8 le 32
At Extreme i can do it like below;
as_65000-IN.pol
entry politic_input {
if {
nrli 10.10.0.0/8;
}
then {
permit/deny;
}
In this rule i mean to block the network 10.10.0.0/8, but i need block whole network from /8 until /32, please how can i to do it on Extreme?
tks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Are you applying this ACL on a port or a VLAN? I am assuming you are applying it on the ingress? Also, if the IP address 192.168.3.10 "resides" inside your switch you probably need to swap the destination IP with the source IP (assuming you are applying the ACL on ingress).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Hi Jarek,
I'm applying it on x460 where the ip address is 192.168.3.10, a few time later applied it i try connecting on the switch and i can't do that more, so i need logg in via console and disable this access-list, and so on, i'm able connecting them again.
Do you have any other ACL on the switch ?
No, i don't
In this acl, i'd like firstly permit a few ip address to connect on switch also establish bgp section, after permit i'd like block any attempt access not permit in toward of switch.
I'm applying it on x460 where the ip address is 192.168.3.10, a few time later applied it i try connecting on the switch and i can't do that more, so i need logg in via console and disable this access-list, and so on, i'm able connecting them again.
Do you have any other ACL on the switch ?
No, i don't
In this acl, i'd like firstly permit a few ip address to connect on switch also establish bgp section, after permit i'd like block any attempt access not permit in toward of switch.
