Access Lists

The usage of Access Lists on Extreme Networks switches is an efficient way to block network traffic. This can be broken down even to a single port. This example shows how to block SSH traffic from and to a device that is connected to port 1:44 of a switch. To accomplish this a policy definition has to be created:  

# edit policy nossh.pol

  Contents are:  

@description "Policy to deny ssh"
entry sshconnect {
  if {
    protocol tcp;
    destination-port 22;
  } then {
    deny;
    count denySSH;
  }
}

  The policy itself is just self explaining. The editor is just like vi under Unix/Linux. After commiting the changes the policy gets automatically distributed among all members of the stack (if needed). To display the just created policy:  

* Slot-1 sw101.24 # sh policy "nossh"
Policies at Policy Server:
Policy: nossh
@description "Policy to deny ssh"
entry sshconnect {
if match all {
    protocol tcp ;
    destination-port 22 ;
}
then {
    deny  ;
    count denySSH;
}
}
Number of clients bound to policy: 0
Client: acl bound once

  This policy is not connected right now. To apply it to port 1:44:  

* Slot-1 sw101.22 # configure access-list nossh ports 1:44
 done!

  From now on all SSH connections from port 1:44 receive a time-out. When starting a SSH connection from a device connected to port 1:44 it can be seen on the switch:  

* Slot-1 sw101.24 # sh access-list counter
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
nossh             *                1:44   ingress
    denySSH                        10

  To reset the counters:  

* Slot-1 sw101.25 # clear access-list counter

  Now all counters are zeroed again.  

* Slot-1 sw101.26 # sh access-list counter
Policy Name       Vlan Name        Port   Direction
    Counter Name                   Packet Count         Byte Count
==================================================================
nossh             *                1:44   ingress
    denySSH                        0

  It is important to mention that only one policy can be bound to a single port. Therefore it is necessary to think twice what the policy should do.
To modify a connected policy edit it, disconnect the policy from the port and reconnect it to the port again.