cancel
Showing results for 
Search instead for 
Did you mean: 

How to make ACL that will only allow HTTP traffic to and from a specific host

How to make ACL that will only allow HTTP traffic to and from a specific host

James_Red1
New Contributor III
I am new to ACL in Extreme and would like to seek your support on how to make an acl to only allow HTTP and HTTPS traffic to and from host 10.158.22.36. All other packets to and from 10.158.22.36 should be denied.

thank you!

4 REPLIES 4

David_Choi
Extreme Employee
There is an article about "how to create and apply ACL in EXOS" : https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS/

I think your ACL syntax may be:

entry one {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry two {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry three {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry four {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry five {
if match all {
source-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}
entry six {
if match all {
destination-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}

But if the host 10.158.22.36 is just user-device and is not a server providing the web service, then I think you don't need both directions. It will be enough with "source-address" and "destination-port" match condition.

Well, I think you should consider the ACL according to the direction of traffic and may divide the ACL into 2 separate ACLs. One is ACL1 that has match conditions of "source-address" and another is ACL2 that has match conditions of "destination-address".
The ACLs can be applied with various ways according to where the ACL would be applied on. For example, ACL1 can be applied as ingress on a port or VLAN that the host is connected. Also, ACL1 can be applied as egress on uplink port or a port that connected to end-user. Because the goal of ACL1 is only to accept http/https traffic from specific host. Either ways can meet the goal.
(Please remember that all EXOS switches don't support egress ACL)

Usually, the ACL1 can be applied as ingress on a port or VLAN that the host is connected for coming traffic from the host. And the ACL2 can be applied as ingress on uplink port (or VLAN) or ports that connected to end-users for entering traffic into the switch with destination to the host.

Hello,

I would just like to clarify, on which direction should I apply the acl? egress or ingress?
configure access-list vlan egress|ingress

thank you! I will give it a try and see the results.

Actually, host is a server wherein I need to launch the GUI remotely. I would like restrict access to that host to only GUI access.

GTM-P2G8KFN