Network Architecture & Design

Expand all | Collapse all

ACL for add-vlan-id

Patrick Voss

Patrick Voss03-19-2018 16:48

Danial Jalil

Danial Jalil03-19-2018 17:30

  • 1.  ACL for add-vlan-id

    Posted 03-19-2018 16:42
    I want to add an ingress ACL to a port that adds a vlan to an untagged traffic. if the traffic is tagged it should add a second vlan. following is my code but somehow i am facing error. is it the right syntax to implement it

    entry testing {
    if match all {
    } then {
    permit;
    add-vlan-id 51;
    }
    }

    #configure access-list testing ports 4 ingress


  • 2.  RE: ACL for add-vlan-id

    Posted 03-19-2018 16:48
    Can you show us the error you are seeing?


  • 3.  RE: ACL for add-vlan-id

    Posted 03-19-2018 17:30
    It's correct, but your switch/version needs to support this ACL action modifier. It came out in 16.1.


  • 4.  RE: ACL for add-vlan-id

    Posted 03-20-2018 02:07
    Could you try the following -
    entry rule {
    if {
    vlan-format untagged;
    } then {
    add-vlan-id 51;
    class-id 2;
    }
    }

    I remember encountering this in a case. "Add-Vlan-Id" works with class-id. Also ensure the VLAN ID you are adding is an available VLAN on the ingress and egress ports.


  • 5.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)


  • 6.  RE: ACL for add-vlan-id

    Posted 06-13-2018 17:46
    If you haven't already, please open a ticket with GTAC to help close this one out.



  • 7.  RE: ACL for add-vlan-id

    Posted 03-19-2018 17:30
    it is 21.1.1.4


  • 8.  RE: ACL for add-vlan-id

    Posted 03-20-2018 02:07
    What is meant by available Vlan.. its already created if thats what you are asking.. if it means something else could you please explain it:)


  • 9.  RE: ACL for add-vlan-id

    Posted 03-20-2018 02:07
    it works, it seems for ingress ACL class id is needed..thank you for the help Sushruth.. you are awesome 😉


  • 10.  RE: ACL for add-vlan-id

    Posted 03-20-2018 02:07
    Can you also tell me how to remove the vlan on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..


  • 11.  RE: ACL for add-vlan-id

    Posted 03-20-2018 02:07
    If you want to remove and ACL on a port, then the command is -
    unconfig access-list


  • 12.  RE: ACL for add-vlan-id

    Posted 03-20-2018 02:07
    Available VLAN means that the VLAN must be added to both the ingress and egress ports.


  • 13.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    I'm not sure I understand this question. Do you want to perform an L2 redirect from one port to another?


  • 14.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    Yes! an untag flow enters on lets say port 1 and should be redirected to lets say port 2.. there should be no tag on the traffic when going in port 1 .. and going out of port 2... how do i do thhis? i thought i could assign an internal vlan.. to route traffic from port 1 to 2 .. but then how do i remove this internal traffic when the traffic is leaving port 2? or is there any other approch to do this?


  • 15.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Layer-2-PBR

    You can use L2 redirect using the redirect-port action modifier. Refer the attached article.


  • 16.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    Could you please explain a bit what does port 3:5 means.. i mean i am using extreme network x670 which has 48 ports.. so i should just mentioned redirect-port lets say 48 right?


  • 17.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    3:5 means slot 3 port 5. This will come into play when using chassis or stacked switches. For a single standalone switch, you can use just the port number.


  • 18.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    I still am not able to redirect the flow from port46 to port 45.i am receiving traffic on port 46 but it is not redirecting it to port 45 as shown in the statistics. can you tell me what am i doing wrong? below is the configuration..

    ACL....

    entry one {
    if match all {
    } then {
    redirect-port 45;
    }
    }

    * 46 testing2 ingress 1 0

    X670V-48x.40 # show ports 45-48 statistics
    Port Statistics Thu Mar 29 11:21:56 2018
    Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Pkt Rx Pkt Tx Pkt Tx Pkt
    State Count Count Count Count Bcast Mcast Bcast Mcast
    ========= ===== =========== =========== =========== =========== =========== =========== =========== ===========
    45 A 0 0 0 0 0 0 0 0
    46 A 0 0 1251587 1882386848 0 0 0 0

    ========= ===== =========== =========== =========== =========== =========== =========== =========== ===========
    > in Port indicates Port Display Name truncated past 8 characters
    > in Count indicates value exceeds column width. Use 'wide' option or '0' to clear.
    Link State: A-Active, R-Ready, NP-Port Not Present L-Loopback
    0->Clear Counters U->page up D->page down ESC->exit


  • 19.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    Danial, what sort of traffic is expected in port 46 ingress. Tagged or untagged? Are the VLANs allowed on port 46 also allowed on port 45?


  • 20.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    Yes the vlans are allowed on both the ports.. and untagged traffic is expected on port 46 ingress .


  • 21.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    Any help please?


  • 22.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    It should work. Have you added and removed the ACL? or refresh the policy?



  • 23.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    But it is not working. I have the following configuration.. I am receiving the traffic with no tags nothing just normal Ethernet frames on port 47 but somehow the ACL is not redirecting them port 48. Am I missing something? guys need help?

    * X670V-48x.54 # show access-list
    Vlan Name Port Policy Name Dir Rules Dyn Rules
    ================================================================
    * 47 testing ingress 1 0

    * X670V-48x.55 #vi testing.pol
    entry rule {
    if match all {
    } then {
    redirect-port 48
    }
    }

    * X670V-48x.59 # show ports 47-48 statistics
    Port Statistics Thu Apr 12 10:09:00 2018
    Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Pkt Rx Pkt Tx Pkt Tx Pkt
    State Count Count Count Count Bcast Mcast Bcast Mcast
    ========= ===== =========== =========== =========== ===========
    47 A 0 0 8469676 1084118656 0 0 0 0
    48 A 0 0 0 0 0 0 0 0

    ========= ===== =========== =========== =========== ===========



  • 24.  RE: ACL for add-vlan-id

    Posted 03-22-2018 16:09
    guys waiting for some help here?