ACL for add-vlan-id

  • 0
  • 1
  • Question
  • Updated 4 months ago
  • Answered
I want to add an ingress ACL to a port that adds a vlan to an untagged traffic. if the traffic is tagged it should add a second vlan. following is my code but somehow i am facing error. is it the right syntax to implement it


entry testing {
    if match all {
    } then {
        permit;
        add-vlan-id 51;
    }




#configure access-list testing ports 4 ingress
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb

Posted 7 months ago

  • 0
  • 1
Photo of Patrick Voss

Patrick Voss, Alum

  • 11,594 Points 10k badge 2x thumb
Can you show us the error you are seeing?
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,040 Points 5k badge 2x thumb
It's correct, but your switch/version needs to support this ACL action modifier.  It came out in 16.1.
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
it is  21.1.1.4
(Edited)
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 966 Points 500 badge 2x thumb
Could you try the following -
entry rule {
if {
vlan-format untagged;
} then {
add-vlan-id 51;
class-id 2;
}
}

I remember encountering this in a case. "Add-Vlan-Id" works with class-id. Also ensure the VLAN ID you are adding is an available VLAN on the ingress and egress ports.
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
What is meant by available Vlan.. its already created if thats what you are asking.. if it means something else could you please explain it:)
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
it works, it seems for ingress ACL class id is needed..thank you for the help Sushruth.. you are awesome ;)
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
Can you also tell me how to remove the vlan on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 966 Points 500 badge 2x thumb
If you want to remove and ACL on a port, then the command is -
unconfig access-list <ACL NAME> ingress/egress
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 966 Points 500 badge 2x thumb
Available VLAN means that the VLAN must be added to both the ingress and egress ports.
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)
(Edited)
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 924 Points 500 badge 2x thumb
I'm not sure I understand this question. Do you want to perform an L2 redirect from one port to another?
(Edited)
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
Yes! an untag flow enters on lets say port 1 and should be redirected to lets say port 2.. there should be no tag on the traffic when going in port 1 .. and going out of port 2... how do i do thhis? i thought i could assign an internal vlan.. to route traffic from port 1 to 2 .. but then how do i remove this internal traffic when the traffic is leaving port 2? or is there any other approch to do this? 
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 924 Points 500 badge 2x thumb
https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Layer-2-PBR

You can use L2 redirect using the redirect-port action modifier. Refer the attached article.
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
Could you please explain a bit what does port 3:5 means.. i mean i am using extreme network x670 which has 48 ports.. so i should just mentioned redirect-port lets say 48 right? 
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 924 Points 500 badge 2x thumb
3:5 means slot 3 port 5. This will come into play when using chassis or stacked switches. For a single standalone switch, you can use just the port number.
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
I still am not able to redirect the flow from port46 to port 45.i am receiving traffic on port 46 but it is not redirecting it to port 45 as shown in the statistics. can you tell me what am i doing wrong? below is the configuration..

ACL....

entry one {
if match all {
} then {
redirect-port 45;
}
}

*            46     testing2             ingress  1      0       

X670V-48x.40 # show ports 45-48 statistics
Port Statistics                                                                        Thu Mar 29 11:21:56 2018
Port      Link       Tx Pkt     Tx Byte      Rx Pkt     Rx Byte      Rx Pkt      Rx Pkt      Tx Pkt      Tx Pkt
          State       Count       Count       Count       Count       Bcast       Mcast       Bcast       Mcast
========= ===== =========== =========== =========== =========== =========== =========== =========== ===========
45        A               0           0           0           0           0           0           0           0
46        A               0           0     1251587  1882386848           0           0           0           0










========= ===== =========== =========== =========== =========== =========== =========== =========== ===========
          > in Port indicates Port Display Name truncated past 8 characters
          > in Count indicates value exceeds column width. Use 'wide' option or '0' to clear.
          Link State: A-Active, R-Ready, NP-Port Not Present L-Loopback
          0->Clear Counters  U->page up  D->page down ESC->exit
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 924 Points 500 badge 2x thumb
Danial, what sort of traffic is expected in port 46 ingress. Tagged or untagged? Are the VLANs allowed on port 46 also allowed on port 45?
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
Yes the vlans are allowed on both the ports.. and untagged traffic is expected on port 46 ingress .
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
Any help please?
Photo of Stephen Williams

Stephen Williams, Employee

  • 9,040 Points 5k badge 2x thumb
It should work.  Have you added and removed the ACL? or refresh the policy?
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
But it is not working. I have the following configuration.. I am receiving the traffic with no tags nothing just normal Ethernet frames on port 47 but somehow the ACL is not redirecting them port 48. Am I missing something? guys need help?

* X670V-48x.54 # show access-list
Vlan Name    Port   Policy Name          Dir      Rules  Dyn Rules
================================================================
*            47     testing              ingress  1      0

* X670V-48x.55 #vi testing.pol
entry rule {
if match all {
} then {
redirect-port 48
}
}

* X670V-48x.59 # show ports 47-48 statistics
Port Statistics                                                                        Thu Apr 12 10:09:00 2018
Port      Link       Tx Pkt     Tx Byte      Rx Pkt     Rx Byte      Rx Pkt      Rx Pkt      Tx Pkt      Tx Pkt
          State       Count       Count       Count       Count       Bcast       Mcast       Bcast       Mcast
========= ===== =========== =========== =========== =========== 
47        A               0           0     8469676  1084118656           0           0           0           0
48        A               0           0           0           0           0           0           0           0

========= ===== =========== =========== =========== =========== 
Photo of Danial Jalil

Danial Jalil

  • 912 Points 500 badge 2x thumb
guys waiting for some help here?
Photo of Drew C.

Drew C., Community Manager

  • 40,206 Points 20k badge 2x thumb
If you haven't already, please open a ticket with GTAC to help close this one out.