I think I sorted it out in the thread that I started - the problem seems to be that denying via
if match all {
} then {
deny
}
truly matches everything - every protocol, every port, every address, and especially every ARP.
It also appears that it means that a "deny" rule like that also matches previously "accept"ed packets (because of the ARP test?)
Lesson learned: don't deny all like this, deny all in a more specific matter
😉
(I don't know if that was the intended behavior of "match all {}", but that's how it seems to play out.)
Jarek helped me out with that in this thread:
https://community.extremenetworks.com/extreme/topics/access_list_policy_and_selective_routing_betwee...