ExtremeSwitching (EXOS)

 View Only
  • 1.  Layer-2 Protocol Tunneling ACL on X670V

    Posted 08-12-2015 13:00
    ExOS is summitX-15.3.1.4-patch1-31

    Examples are from ACL Solutions Guide

    What is wrong with this ACLs ?

    * sw2.g50.kv.38 # edit policy l2pt-cdp-inentry cdp_pdu {
    if {
    ethernet-destination-address 01:00:0c??cc:cc ;
    snap-type 0x2000 ;
    } then {
    replace-ethernet-destination-address 01:00:0c?cd:d0 ;
    count cdp_ingress ;
    }
    }

    * sw2.g50.kv.39 # edit policy l2pt-cdp-outentry cdp_pdu {
    if {
    ethernet-destination-address 01:00:0c?cd:d0 ;
    snap-type 0x2000 ;
    } then {
    replace-ethernet-destination-address 01:00:0c??cc:cc ;
    count cdp_egress ;
    }
    }

    * sw2.g50.kv.40 # conf access-list l2pt-cdp-in ports 5 ingress
    Error: ACL install operation failed - vlan *, port 5, rule "cdp_pdu" Invalid parameter (user-defined field (UDF))
    * sw2.g50.kv.41 # conf access-list l2pt-cdp-out ports 5 egress

    Error: ACL install operation failed - conditions specified in rule "cdp_pdu" cannot be satisfied by hardware on vlan *, port 5
    * sw2.g50.kv.42 #


  • 2.  RE: Layer-2 Protocol Tunneling ACL on X670V

    Posted 08-12-2015 14:25
    Hi Pavel,

    snap-type can be used as a match condition for Ingress ACLs only and therefore should be removed from policy l2pt-cdp-outentry.

    Also according to https://wiki.wireshark.org/CDP,
    The protocol ID of CDP is x2000.
    The SNAP value is 0xaa.


  • 3.  RE: Layer-2 Protocol Tunneling ACL on X670V

    Posted 08-12-2015 17:20
    ok, dispite the exmples are from EN official doc, I'll try :D

    * sw2.g50.kv.1 # edit policy l2pt-cdp-outentry cdp_pdu {
    if {
    ethernet-destination-address 01:00:0c?cd:d0 ;
    # snap-type 0x2000 ;
    } then {
    replace-ethernet-destination-address 01:00:0c??cc:cc ;
    count cdp_egress ;
    }
    }

    * sw2.g50.kv.2 # conf access-list l2pt-cdp-out ports 5 egress
    .
    Error: ACL install operation failed - vlan *, port 5, rule "cdp_pdu" Feature unavailable (rule)
    * sw2.g50.kv.3 #

    So, what's next ?



  • 4.  RE: Layer-2 Protocol Tunneling ACL on X670V

    Posted 08-12-2015 21:37
    Hi Pavel,

    What model of switch is this?

    -Brandon


  • 5.  RE: Layer-2 Protocol Tunneling ACL on X670V

    Posted 08-13-2015 01:39
    System Type: X670V-48x



  • 6.  RE: Layer-2 Protocol Tunneling ACL on X670V

    Posted 08-13-2015 11:59
    Hi Pavel,

    At this point it may be time to contact GTAC. The problem appears to be with the action "replace-ethernet-destination-address" as the ACL does not cause an error when this action is removed.

    Another option to consider is an EXOS upgrade to the recommended version for the X670 to use Layer 2 Protocol Tunneling.
    Read about L2PT (Starting on page 2333)
    http://extrcdn.extremenetworks.com/wp-content/uploads/2015/01/ExtremeXOS_15_5_User-Guide.pdf


  • 7.  RE: Layer-2 Protocol Tunneling ACL on X670V

    Posted 08-17-2015 08:58
    So, Is there a chance to transport a PDUs on ExOS 15.3 at x670v switch ?

    Upgrade is not suitable.