Basic ACL: Switch says ACL doesn't exist when I created it, please help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-19-2015 02:51 PM
Hi Everyone,
I'm trying to create and apply a ACL to a vlan on my switch but when I run the commands it says it doesn't exist.
1. I created the policy by entering: vi PBR_DEFAULTROUTE.pol
I enter a simple a entry and entered :wq! to save. successfully.
2. I typed in ls and it is listed under my files.
-rw-rw-rw- 1 root 0 932 May 19 12:39 PBR_DEFAULTROUTE.pol
3. Saved config on switch
4. I entered check policy PBR_DEFAULTROUTE.pol
# check policy PBR_DEFAULTROUTE.pol
Error: Policy PBR_DEFAULTROUTE.pol does not exist on file
5. Attempt to apply to VLAN
# configure access-list PBR_DEFAULTROUTE.pol vlan "Test_ACL" ingress
.Error: ACL policy PBR_DEFAULTROUTE.pol not found
Configuration failed on backup Node, command execution aborted!
Below is my original post on what I'm trying to accomplish but for this one I'm trying to enable this VLAN.
https://community.extremenetworks.com/extreme/topics/i-need-one-device-to-have-a-specific-ip-default...
I'm trying to create and apply a ACL to a vlan on my switch but when I run the commands it says it doesn't exist.
1. I created the policy by entering: vi PBR_DEFAULTROUTE.pol
I enter a simple a entry and entered :wq! to save. successfully.
2. I typed in ls and it is listed under my files.
-rw-rw-rw- 1 root 0 932 May 19 12:39 PBR_DEFAULTROUTE.pol
3. Saved config on switch
4. I entered check policy PBR_DEFAULTROUTE.pol
# check policy PBR_DEFAULTROUTE.pol
Error: Policy PBR_DEFAULTROUTE.pol does not exist on file
5. Attempt to apply to VLAN
# configure access-list PBR_DEFAULTROUTE.pol vlan "Test_ACL" ingress
.Error: ACL policy PBR_DEFAULTROUTE.pol not found
Configuration failed on backup Node, command execution aborted!
Below is my original post on what I'm trying to accomplish but for this one I'm trying to enable this VLAN.
https://community.extremenetworks.com/extreme/topics/i-need-one-device-to-have-a-specific-ip-default...
13 REPLIES 13
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-19-2015 03:08 PM
Hi Arison,
Re-direct using an IP within a VLAN may not be possible. You could consider redirect-port .
Re-direct using an IP within a VLAN may not be possible. You could consider redirect-port .
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-19-2015 03:08 PM
Let me take a look at one of my pbr's and compare. This is being applied inbound on the VLAN for 192.168.2.0/27, right?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-19-2015 03:08 PM
Jeremy,
thanks for your help, I've applied the ACL as you described and I'm able to ping their network address's as well as there Firewall. I just can't get the redirect to point to their default gateway. Is there anything that I could be missing?
thanks for your help, I've applied the ACL as you described and I'm able to ping their network address's as well as there Firewall. I just can't get the redirect to point to their default gateway. Is there anything that I could be missing?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-19-2015 03:08 PM
Ok, good deal. You don't have to add the CIDR when specifying the redict destination.. so you can remove the /32 from 192.168.2.100.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎05-19-2015 03:08 PM
Ok, so the problem was I was adding the .pol when applying the file to the VLAN. Now my new error message is this "Error: Policy PBR_DEFAULT has syntax errors
Line 15 : Too many arguments from "/"
All I want to do is route traffic from a private vlan to another firewall and not allow anyone on my network access it. We're just going to host someones equipment on our site. Also please note we have a dedicated VLAN for the customer and again I dont want anyone pinging to it as well as have them redirect to their firewall and not out default route. Sorry I come from a cisco background and scripting is not my forte
##### Redirect default route entry
entry PBR {if match all {
source-address 192.168.2.0/24;
destination-address 0.0.0.0/0;
}
then {
redirect 192.168.2.100/32;
}
}
###### Deny internal Network to customer VLAN
entry rule1 {If match all {
source-address 172.16.0.0/16;
destination-address 192.168.2.0/24;
}
then {
deny ;
count RULE1-COUNT ;
}
}
Line 15 : Too many arguments from "/"
All I want to do is route traffic from a private vlan to another firewall and not allow anyone on my network access it. We're just going to host someones equipment on our site. Also please note we have a dedicated VLAN for the customer and again I dont want anyone pinging to it as well as have them redirect to their firewall and not out default route. Sorry I come from a cisco background and scripting is not my forte
##### Redirect default route entry
entry PBR {if match all {
source-address 192.168.2.0/24;
destination-address 0.0.0.0/0;
}
then {
redirect 192.168.2.100/32;
}
}
###### Deny internal Network to customer VLAN
entry rule1 {If match all {
source-address 172.16.0.0/16;
destination-address 192.168.2.0/24;
}
then {
deny ;
count RULE1-COUNT ;
}
}
