Extreme Networks

Hi again,

i'm having some trouble configuring the policy file.... The goal is to permit several IP subnets on an ingress port while deny the rest. This is the way i'm trying to do it:

#1 configure policy file
vi PERMIT-Customersubnets.pol

entry PERMIT-Customersubnets {
if match any {
source-address a.b.c.d/16;
source-address e.f.g.h/24;
source-address i.j.k.l/24;
.
.
.
}
then {
count test;
permit;
}


else{
deny}
}
#2 check policy

check policy PERMIT-ORANGE-CUSTOMER-ONLY
Policy file check successful.
#3 configure access-list

configure access-list PERMIT-ORANGE-CUSTOMER-ONLY ports 2 ingress

i have the following error:
Error: Policy PERMIT-Customersubnets has syntax errors
Line 4 : Attribute source-address already exists as a match statement in Acl entry PERMIT-Customersubnets.
so ven ethe policy file seems ok, i still have errors when applying the ACL
so my 2 questions are: is it possible to configure the match-any even the policy file is being called by an access-list (i have some doubts about the 'match any' statement on the documentation)?. an the other one is about the source-address repeated objects syntax.
Thx a lotBR

Hi Gabriel,
I'll refer you to the supported limits for ACLs in the EXOS 22.5 Release Note. The link can be found here: https://documentation.extremenetworks.com/release_notes/ExtremeXOS/22.5/ExtremeXOS_22.5_RelNotes.pdf
ACLs themselves are done in hardware, although the action modifier (for instance: redirect, mirror-cpu, replace-dscp, etc.) will have some CPU impact if used too aggressively.
Thanks
Brad

Thanks a lot Brad!Do you know if this have a considerable impact on the switch itself or any hot topic to consider when configuring it?BRGabriel.