Security
Access lists are typically applied to traffic that crosses layer 3 router boundaries, but it is possible to use
access lists within a layer 2 VLAN.
Access lists in ExtremeWare XOS apply to all traffic. This is somewhat different from the behavior in
ExtremeWare. For example, if you deny all the traffic to a port, no traffic, including control packets,
such as OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow
those type of packets (if desired). In ExtremeWare, an access list that denied "all" traffic would allow
control packets (those bound for the CPU) to reach the switch.
Access lists are often referred to as Access Control Lists (ACLs).
The following sections apply to IP access lists:
• Creating IP Access Lists on page 114
• ACL File Syntax on page 114
• Example ACL Rule Entries on page 117
• Using Access Lists on the Switch on page 118
• Displaying and Clearing ACL Counters on page 119
Creating IP Access Lists
ACLs are created by writing a text file containing a number of rule entries. Name the text file with the
ACL name and use ".pol" as the filename extension. For example, the ACL name "zone3" refers to the
text file "zone3.pol". Any common text editor can be used to create an access list file. The file is then
transferred to the switch using TFTP, and applied to some or all ports on the switch.
ACL File Syntax
The ACL file contains one or more rule entries. Each rule entry consists of:
• a rule entry name, unique within the same ACL.
• zero or more match conditions. If no match condition is specified, all packets are matched.
• zero or one action. If no action is specified, the packet is permitted by default.
• zero or more action modifiers.
Each rule entry in the file uses the following syntax:
entry <entry-name>{
if
{
<match-conditions>;
} then {
<action>;
<action-modifiers>;
}
}
Here is an example of a rule entry:
entry
udpacl {
if
{
source-address 10.203.134.0/24;
destination-address 140.158.18.16/32;
114
ExtremeWare XOS 10.1 Concepts Guide