Specifications

ManualsBrandsExtreme Networks ManualsComputer equipmentExtremeWare XOS Command

141

142

143

144

145

146

147

148

149

150

148 ExtremeWare XOS 11.0 Concepts Guide

Security

ACLs are typically applied to traffic that crosses Layer 3 router boundaries, but it is possible to use

access lists within a Layer 2 virtual LAN (VLAN).

ACLs in ExtremeWare XOS apply to all traffic. This is somewhat different from the behavior in

ExtremeWare. For example, if you deny all the traffic to a port, no traffic, including control packets, such

as OSPF or RIP, will reach the switch and the adjacency will be dropped. You must explicitly allow

those type of packets (if desired). In ExtremeWare, an ACL that denied “all” traffic would allow control

packets (those bound for the CPU) to reach the switch.

ACLs are often referred to as access lists.

The following sections apply to IP access lists:

• Creating IP ACLs on page 148

• ACL File Syntax on page 149

• Example ACL Rule Entries on page 154

• Using ACLs on the Switch on page 155

• Displaying and Clearing ACL Counters on page 156

Creating IP ACLs

ACLs are created as text files, which in turn are managed in the same database as other policies, so the

files that define ACLs are also referred to as policy files, and some of the commands used with ACLs

use the keyword

policy where you might expect access-list. Prior to release 11.0, all ACLs were

created by writing a text file on a separate machine and then downloading it to the switch. Once on the

switch, the file was then loaded into a policy database to be applied to some or all ports on the switch.

With release 11.0, policy text files can be edited directly on the switch.

Policies are created by writing a text file containing a number of rule entries. Name the text file with the

policy name and use “.pol” as the filename extension. For example, the policy name “boundary” refers

to the text file “boundary.pol”.

A VI-like editor is available on the switch to edit policies. To edit a policy file on the switch by

launching the editor, use the following command:

edit policy <filename>

You can also edit policies on a separate machine. Any common text editor can be used to create a policy

file. The file is then transferred to the switch using TFTP and then applied.

To transfer policy files to the switch, use the following command:

tftp [<host_name> | <ip_address>] {-v <vr_name>} [-g | -p] [{-l <local_file>} {-r

<remote_file>} | {-r <remote_file>} {-l <local_file>}]

Refreshing Policies

When a policy file is changed (such as adding, deleting an entry, adding/deleting/modifying a

statement), the new file can be downloaded to the switch. The user must refresh the policy so that the

latest copy of policy will be used.