ExtremeSwitching (EXOS)

  • 1.  ACL Bug? /17 Supernet

    Posted 01-07-2014 22:02
    Create Date: May 15 2013 10:01AM

    Hi,

    i use a Summit x670 with the image ExtremeXOS version 15.2.2.7.

    I have made acls for the vlan that i have created on the switch.
    The (big) problem is when i made on the end off the rules a deny acl, example

    create access-list deny_any " source-address 0.0.0.0/0 ;" " deny ;" application "Cli"

    all acls where have ips or networkaddresses in it doesnt work!

    Example:
    create access-list test_allow_me " source-address 10.1.1.1/32 ; protocol tcp ; destination-port 80 ;" " permit ;" application "Cli"

    Now i have tested this a lot of time and the point is, when i make a rule with a /18 supernet or lower, also /19, /20 .... all acls are working.
    All netwrokmask over /18 also /17, /16 ... dont work.

    Is this a Firmewarebug?
    (from mp)


  • 2.  RE: ACL Bug? /17 Supernet

    Posted 01-07-2014 22:02
    Create Date: May 17 2013 11:44AM

    hello MP

    I have not tested this so not sure although I have not heard about this being a problem until now. I would recommend opening a case with TAC to have them test it in the lab. If it is a bug they can then send it to engineering. I will also try to test when I have a chance which may not be for a week or so.

    P (from Paul_Russo)


  • 3.  RE: ACL Bug? /17 Supernet

    Posted 01-07-2014 22:02
    Create Date: Jun 28 2013 6:29PM

    I'm experiencing a similar issue:

    Everything matches this policy (applied to bgp export direct for ipv6, I've changed the actual addresses for this example), its as if the nlri directive isn't even there:

    entry permit-portable-access-nets {
    if match any {
    nlri fe80?8000::/33 min 33 ;
    }
    then {
    community set "23456:1" ;
    permit ;
    }
    }
    entry deny-anything-else {
    if match all {
    }
    then {
    deny ;
    }
    }

    I tried throwing in a route-origin icmp and changing it to match all to create a condition that shouldn't be true no matter what, but it still permitted the routes. I've opened a TAC case, here's hoping it makes it through to someone who understands the question.

    And I've verified that they are matching this policy because if I change the permit right after the community set to a deny and refresh the policy the routes disappear from the transmitted routes table. (from xxiii)


  • 4.  RE: ACL Bug? /17 Supernet

    Posted 01-07-2014 22:02
    Create Date: Aug 22 2013 8:06AM

    Were you able to solve the problem? (from shulik)