This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Extreme Networks
- Community List
- Switching & Routing
- ExtremeSwitching (EXOS/Switch Engine)
- RE: How to make ACL that will only allow HTTP traf...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
How to make ACL that will only allow HTTP traffic to and from a specific host
How to make ACL that will only allow HTTP traffic to and from a specific host
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-23-2016 06:21 AM
I am new to ACL in Extreme and would like to seek your support on how to make an acl to only allow HTTP and HTTPS traffic to and from host 10.158.22.36. All other packets to and from 10.158.22.36 should be denied.
thank you!
thank you!
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-23-2016 07:09 AM
There is an article about "how to create and apply ACL in EXOS" : https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-create-and-apply-an-ACL-in-EXOS/
I think your ACL syntax may be:
entry one {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry two {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry three {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry four {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry five {
if match all {
source-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}
entry six {
if match all {
destination-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}
But if the host 10.158.22.36 is just user-device and is not a server providing the web service, then I think you don't need both directions. It will be enough with "source-address" and "destination-port" match condition.
I think your ACL syntax may be:
entry one {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry two {
if match all {
source-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry three {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 80 ;
} then {
count ;
permit ;
}
}
entry four {
if match all {
destination-address 10.158.22.36/32 ;
protocol tcp ;
destination-port 443 ;
} then {
count ;
permit ;
}
}
entry five {
if match all {
source-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}
entry six {
if match all {
destination-address 10.158.22.36/32 ;
} then {
count ;
deny ;
}
}
But if the host 10.158.22.36 is just user-device and is not a server providing the web service, then I think you don't need both directions. It will be enough with "source-address" and "destination-port" match condition.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-23-2016 07:09 AM
Well, I think you should consider the ACL according to the direction of traffic and may divide the ACL into 2 separate ACLs. One is ACL1 that has match conditions of "source-address" and another is ACL2 that has match conditions of "destination-address".
The ACLs can be applied with various ways according to where the ACL would be applied on. For example, ACL1 can be applied as ingress on a port or VLAN that the host is connected. Also, ACL1 can be applied as egress on uplink port or a port that connected to end-user. Because the goal of ACL1 is only to accept http/https traffic from specific host. Either ways can meet the goal.
(Please remember that all EXOS switches don't support egress ACL)
Usually, the ACL1 can be applied as ingress on a port or VLAN that the host is connected for coming traffic from the host. And the ACL2 can be applied as ingress on uplink port (or VLAN) or ports that connected to end-users for entering traffic into the switch with destination to the host.
The ACLs can be applied with various ways according to where the ACL would be applied on. For example, ACL1 can be applied as ingress on a port or VLAN that the host is connected. Also, ACL1 can be applied as egress on uplink port or a port that connected to end-user. Because the goal of ACL1 is only to accept http/https traffic from specific host. Either ways can meet the goal.
(Please remember that all EXOS switches don't support egress ACL)
Usually, the ACL1 can be applied as ingress on a port or VLAN that the host is connected for coming traffic from the host. And the ACL2 can be applied as ingress on uplink port (or VLAN) or ports that connected to end-users for entering traffic into the switch with destination to the host.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-23-2016 07:09 AM
Hello,
I would just like to clarify, on which direction should I apply the acl? egress or ingress?
configure access-list vlan egress|ingress
I would just like to clarify, on which direction should I apply the acl? egress or ingress?
configure access-list
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
06-23-2016 07:09 AM
thank you! I will give it a try and see the results.
Actually, host is a server wherein I need to launch the GUI remotely. I would like restrict access to that host to only GUI access.
Actually, host is a server wherein I need to launch the GUI remotely. I would like restrict access to that host to only GUI access.
