ExtremeSwitching (EXOS)

  • 1.  EXOS access-list / policy question

    Posted 03-01-2016 12:00
    For an customer project i use access-list / policy to block VRRP multicast traffic to achieve VRRP Active / Active Situation. i have a X670V with V16.1.2.14 patch 1-4.

    To block multicast traffic i have to apply the ACL to the ISC Link - in my setup this is a sharing of 1:49 and 2:49 (40GB Link).

    My question is now - why should i have to bind the ACL in both sharing ports (it only works if i bind this in both ports) ?! I expect because this is a sharing link i have only bind this to the config master port ?!

    Secondly - how can i check if a ACL have hits ?

    * Slot-1 XXXXXXX.29 # sh access-list counter ingress
    * Slot-1 XXXXXXX.29 #
    * Slot-1 XXXXXXX.31 # sh access-list counter ports 2:49 ingress
    * Slot-1 XXXXXXX.31 #

    No Command (which i guess that seems to be correct) does generate any output!

    Bug or feature ?

    Regards



  • 2.  RE: EXOS access-list / policy question

    Posted 03-01-2016 12:51
    Hi Matthias, since you are using LAG, the Mcast traffic might be using both links. Therefore, to accomplish the active/active VRRP scenario, the VRRP mcast address should be blocked on both ports (ISC link).

    You can see any hit in the ACL by adding a counter into the ACL policy.

    Example:

    entry vrrp-block-rule {
    if {
    destination-address 224.0.0.18/32 ;
    } then {
    deny ;
    counter matchvrrp;
    }
    }

    To check the counter:

    show access-list counter (if the ACL is applied on ingress direction)
    show access-list counter egress (if the ACL is applied on egress direction)


  • 3.  RE: EXOS access-list / policy question

    Posted 03-01-2016 14:27
    Thanks Henrique!

    Can you explain me why i have to bind the acl not only to the sharing master port ? it only work if i bind it to all ports that belongs to sharing group!

    Regards


  • 4.  RE: EXOS access-list / policy question

    Posted 03-01-2016 14:45
    Hi, ACL are LAG agnostic, you need to apply them on each physical ports.