creating acl
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-23-2015 07:33 PM
Hello everyone,
I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.
edit policy acl_input
entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}
entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}
The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.
please, how can i created this acl?
tks
I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.
edit policy acl_input
entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}
entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}
The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.
please, how can i created this acl?
tks
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Hi,
where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?
--
Jarek
where do you apply the policy ? Can you give more details ?
Maybe you are connecting to the switch from 192.168.3.10 ?
Do you have any other ACL on the switch ?
--
Jarek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Hello Jarek.
It's exactly i wish. I need match all.
somehow what i concluded is this table "Prefix Range Example" doesn't work as expected.
If anyone at Extreme wishs to do more test i'm avaliable to go ahed with it.
It's exactly i wish. I need match all.
somehow what i concluded is this table "Prefix Range Example" doesn't work as expected.
If anyone at Extreme wishs to do more test i'm avaliable to go ahed with it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Wellison, I forgot to add one thing about the entry.
entry bgp_filter-10 {
if match any {
nlri any/20 max 24;
as-path "^56789$";
}
then {
permit;
local-preference 750;
}
}
"if match any" means - if any of those two is true, match occours
In this case all prefixes /XX will be true for as-path "^56789$" + prefixes /20 to /24
If you change this to "if match all" (which is default), then all match conditions must be true
and you will have prefixes /20 - /24 in AS 56789
--
Jarek
entry bgp_filter-10 {
if match any {
nlri any/20 max 24;
as-path "^56789$";
}
then {
permit;
local-preference 750;
}
}
"if match any" means - if any of those two is true, match occours
In this case all prefixes /XX will be true for as-path "^56789$" + prefixes /20 to /24
If you change this to "if match all" (which is default), then all match conditions must be true
and you will have prefixes /20 - /24 in AS 56789
--
Jarek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Hi@Jarek,
I have done it, however when i applied this rule it mark all prefix from /20 to /32 as local-preference 750, in case i belive that i should create a rule blocking /25 like "nlri any/25;" comming into ASN 56789 and so, apply another policy setting up local-preference, because i'm looking that Prefix Range doesn't work as should.
So, i applied the rule like below to work as i wish.
entry bgp_filter-0 {
if match any {
nlri any/25 ;
as-path "^56789$";
}
then {
deny;
}
}
entry bgp_filter-3 {
if match any {
as-path "^56789$";
}
then {
local-preference 750;
}
}
and the next rule are the same.
Is prefix range working as hope? It is my doubts.
I have done it, however when i applied this rule it mark all prefix from /20 to /32 as local-preference 750, in case i belive that i should create a rule blocking /25 like "nlri any/25;" comming into ASN 56789 and so, apply another policy setting up local-preference, because i'm looking that Prefix Range doesn't work as should.
So, i applied the rule like below to work as i wish.
entry bgp_filter-0 {
if match any {
nlri any/25 ;
as-path "^56789$";
}
then {
deny;
}
}
entry bgp_filter-3 {
if match any {
as-path "^56789$";
}
then {
local-preference 750;
}
}
and the next rule are the same.
Is prefix range working as hope? It is my doubts.
