Mailing List Archive: nsp: extreme

TCP access list / EW 7.6

Index | Next | Previous | View Threaded

marcin at leon

Aug 24, 2007, 2:06 AM

Post #1 of 2 (1678 views)
Permalink

TCP access list / EW 7.6

hello,

I have a problem with creation of access list that would drop unwanted tcp
traffic.

I have an access list like that:
* Alpine3808:31 # show access-list
Rule Dest/mask:L4DP Src/mask:L4SP Flags Hits
port_137 0.0.0.0 /0 :137 0.0.0.0 /0 :0 T-D-X 0
Flags: I=IP, T=TCP, U=UDP, E=Established, M=ICMP, G=IGMP
P=Permit Rule, D=Deny Rule
N=Port Specific Rule, X=Any Port

but, if I try to do a telnet to port 137 it is not notified in "Hits" and it
is not dropped.
As I could see, only pure IP acl works, but TCP and UDP no.

Switch has a Full L3 license, EW is
Primary EW Ver: 7.6.4.4 [ssh] [wlan]

No L3 routing is done on the switch, just L2 vlans.

Is there any way to make TCP acls to work on this device ?

Regards,
Marcin

Stephane.Grosjean at telindus

Aug 27, 2007, 2:32 AM

Post #2 of 2 (1614 views)
Permalink

TCP access list / EW 7.6 [In reply to]

Hello,

Strange behaviour... did you configure it that way ?

create access-list deny_137 tcp dest any ip-port 137 source any ip-port any deny ports any

Stephane.

>I have an access list like that:
>* Alpine3808:31 # show access-list
> Rule Dest/mask:L4DP Src/mask:L4SP Flags Hits
>port_137 0.0.0.0 /0 :137 0.0.0.0 /0 :0 T-D-X 0
>Flags: I=IP, T=TCP, U=UDP, E=Established, M=ICMP, G=IGMP
> P=Permit Rule, D=Deny Rule
> N=Port Specific Rule, X=Any Port
>
>but, if I try to do a telnet to port 137 it is not notified in "Hits" and >it
>is not dropped.
>As I could see, only pure IP acl works, but TCP and UDP no.

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads