Extreme Networks

Giuseppe_Montan · ‎06-24-2021

Good evening

I have this ACL:

if match all {
    source-address 192.168.253.70/32 ;
    destination-address 192.168.170.8/32 ;
}
then {
    deny ;
}
}

On X440 works ( my lab ) ( version 31.1.2 )

On X450 it does not work ( customer ) ( version 30.0.7 )

Anybody can tell me why ?

Thanks

Giuseppe

Giuseppe_Montan · ‎07-02-2021

Hi, I solved the problem.

in this case ( a server inside Vlan 192.168.170 ) I hat to use egress at the end of ACL.

Thanks

Giuseppe

View solution in original post

Giuseppe_Montan · ‎07-02-2021

Hi, I solved the problem.

in this case ( a server inside Vlan 192.168.170 ) I hat to use egress at the end of ACL.

Thanks

Giuseppe

Tomasz · ‎06-30-2021

Hi Giuseppe,

AFAIU it should be still that by default we have ingress direction for applied ACLs unless instructed otherwise in the command. For the ACL you mention, ingress should be fine.

Are there any other ACLs in place? Port-based ACLs have higher precedence than VLAN-based ACLs (which have higher precedence than wildcard, device-wide ACLs). So if .pol applied to a port is checked and the packet is matched, no further .pol contents in TCAM are evaluated against the packet.

Same with dynamic ACLs having precedence over static (.pol) ACLs.

Hope that helps,

Tomasz

Giuseppe_Montan · ‎06-28-2021

Hi Stefan, I apply the ACL per Vlan, do you know when I have to use ingress and when Egress ?

I thing the problem is there.

Giuseppe

Stefan_K_ · ‎06-26-2021

How did you apply the ACL? per Port or per VLAN?

Extreme Networks

Same ACL on X440 works, on X460 no

Same ACL on X440 works, on X460 no