creating acl
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-23-2015 07:33 PM
Hello everyone,
I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.
edit policy acl_input
entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}
entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}
The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.
please, how can i created this acl?
tks
I'm creating acl at x460, however i'd like permit a few traffic and block any access to that specific service like acl below.
edit policy acl_input
entry permit_telnet {
if match any {
destination-address 192.168.3.29/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 23;
}
then {
permit;
}
}
entry permit_bgp {
if match any {
destination-address 1.3.4.5/32;
source-address 192.168.3.10;
protocol tcp;
destination-port 179;
} then {
permit;
}
}
entry permit_icmp {
if match any {
protocol icmp;
source-address 192.168.3.10;
} then {
permit;
}
}
entry block_all {
if match all {
source-address 192.168.3.10;
} then {
deny; }
}
The question is, when i applied it i lost all connection to switch, however i'd like permit a few ips and service and aftet to do that block all access doesn't permitted to switch.
please, how can i created this acl?
tks
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Insert rule "bgp_filter-10" on the top of this policy.
--
Jarek
--
Jarek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
after i've read this guide and found "Prefix Range Examples" i configured my route-policy as below;
entry bgp_filter {
if match any {
as-path "15123";
} then {
permit;
local-preference 800;
}
}
entry bgp_filter-05 {
if match any {
as-path "1234";
}
then {
permit;
local-preference 450;
}
}
entry bgp_filter-10 {
if match any {
nlri any/20 max 24;
as-path "^56789$";
}
then {
permit;
local-preference 750;
}
}
entry bgp_filter-100 {
if match all {
} then {
deny;
}
}
at entry bgp_filter-10 i wanna permit all ip address inside from /20 to /24 but when i runnig refresh in my policy, i can't see this filter being full applied, or be, i still see prefix from /20 to /32 and the local-preference being applied.
What is the better way to built this rule?
entry bgp_filter {
if match any {
as-path "15123";
} then {
permit;
local-preference 800;
}
}
entry bgp_filter-05 {
if match any {
as-path "1234";
}
then {
permit;
local-preference 450;
}
}
entry bgp_filter-10 {
if match any {
nlri any/20 max 24;
as-path "^56789$";
}
then {
permit;
local-preference 750;
}
}
entry bgp_filter-100 {
if match all {
} then {
deny;
}
}
at entry bgp_filter-10 i wanna permit all ip address inside from /20 to /24 but when i runnig refresh in my policy, i can't see this filter being full applied, or be, i still see prefix from /20 to /32 and the local-preference being applied.
What is the better way to built this rule?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Tks Jarek for tip.
I found what i'm need, i was researching Extremes User Guid and itself doesn't has this information.
Now i found in Concepts Guide.
Tks
I found what i'm need, i was researching Extremes User Guid and itself doesn't has this information.
Now i found in Concepts Guide.
Tks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
For prefix /24, yes, you must add exact at end.
Search in the concept guide for "Prefix Range Examples" 🙂
--
Jarek
Search in the concept guide for "Prefix Range Examples" 🙂
--
Jarek
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎06-24-2015 09:21 AM
Hi Annas,
So, it will block or accept from /8 until /32 implicit, so that, i'd like just /8 or /24 i should configure "nrli 10.10.0.0/24 exact;" shouldn't i?
sincerely
So, it will block or accept from /8 until /32 implicit, so that, i'd like just /8 or /24 i should configure "nrli 10.10.0.0/24 exact;" shouldn't i?
sincerely
