ACL Bug? /17 Supernet

  • 0
  • 1
  • Question
  • Updated 4 years ago
Create Date: May 15 2013 10:01AM

Hi,

i use a Summit x670 with the image ExtremeXOS version 15.2.2.7.

I have made acls for the vlan that i have created on the switch.
The (big) problem is when i made on the end off the rules a deny acl, example

create access-list deny_any " source-address 0.0.0.0/0 ;" " deny  ;" application "Cli"

all acls where have ips or networkaddresses in it doesnt work!

Example:
create access-list test_allow_me " source-address 10.1.1.1/32 ; protocol tcp ; destination-port 80 ;" " permit  ;" application "Cli"

Now i have tested this a lot of time and the point is, when i make a rule with a /18 supernet or lower, also /19, /20 .... all acls are working.
All netwrokmask over /18 also /17, /16 ... dont work.

Is this a Firmewarebug?
(from mp)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: May 17 2013 11:44AM

hello MP


I have not tested this so not sure although I have not heard about this being a problem until now.  I would recommend opening a case with TAC to have them test it in the lab.  If it is a bug they can then send it to engineering.  I will also try to test when I have a chance which may not be for a week or so.



P

(from Paul_Russo)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Jun 28 2013 6:29PM

I'm experiencing a similar issue:

Everything matches this policy (applied to bgp export direct for ipv6, I've changed the actual addresses for this example), its as if the nlri directive isn't even there:

entry permit-portable-access-nets {
if match any {
    nlri fe80:1234:8000::/33 min 33 ;
}
then {
    community set "23456:1" ;
    permit  ;
}
}
entry deny-anything-else {
if match all {
}
then {
    deny  ;
}
}

I tried throwing in a route-origin icmp and changing it to match all to create a condition that shouldn't be true no matter what, but it still permitted the routes. I've opened a TAC case, here's hoping it makes it through to someone who understands the question.

And I've verified that they are matching this policy because if I change the permit right after the community set to a deny and refresh the policy the routes disappear from the transmitted routes table.

(from xxiii)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Aug 22 2013 8:06AM

Were you able to solve the problem?

(from shulik)

This conversation is no longer open for comments or replies.