This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Dynamic ACL Application

Dynamic ACL Application

Freiu
New Contributor

‎01-30-2015 10:40 AM

Hello,
i am working with dynamic ACLs and i have multiple ACLs for applications like RDP, HTTP, HTTPS is there any way i can reduce the number of lines in the following ACLs or i can specify multiple port numbers in one line. so i can reduce my configuration.
create access-list HTTP-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 80" "count HTTP;permit"
create access-list HTTPS-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 443" "count HTTPS;permit"
create access-list SSH-IN "source-address 10.10.10.0/24;protocol tcp;destination-port 22" "count SSH;permit"

configure access-list add HTTP-IN first vlan "V67_Server" ingress
configure access-list add HTTPS-IN last vlan "V67_Server" ingress
configure access-list add SSH-IN last vlan "V67_Server" ingress
0 Kudos
6 REPLIES 6

Freiu
New Contributor

‎01-30-2015 01:58 PM

Hi Paul,
Thankyou for your reply, we cannot use policy files so have to do it with dynamic ACLs. for port ranges the range has to be continous like [source-port 23-27] but in my case i have specific ports that are not continuos like for FTP,SMTP,HTTP,RDP. what can i do in this case?
0 Kudos

Paul_Russo
Extreme Employee

‎01-30-2015 01:36 PM

Hello Freiu

You can add port ranges that may help in what you are trying to do

"You can specify multiple, single, or zero match conditions. If you do not specify a match condition, all"
"packets match the rule entry. Commonly used match conditions are:"
"• ethernet-source-address mac-address mask—Ethernet source address"
"• ethernet-destination-address mac-address mask—Ethernet destination address and mask"
"• source-address prefix—IP source address and mask"
"• destination-address prefix—IP destination address and mask"
"• source-port [port|range]—TCP or UDP source port range"
"• destination-port [port|range]—TCP or UDP destination port range"

By adding those ACLs using the CLI and the create access-list command those ACLs are what we call Dynamic. Another way to do the ACLs is to use a policy file with all of the statements in the file and then you can apply that file as an ACL to the port or VLAN. There is a great writeup on ACLs in the user guide. In 15.6 version it is chapter 22

I hope that helps

P

0 Kudos
GTM-P2G8KFN