Egress ACL - many TCP/UDP ports

  • 0
  • 1
  • Question
  • Updated 4 years ago
  • Answered
Create Date: Feb 26 2012 12:03AM

Hello, friends!

I have some problem with configure my ex670 (EXOS12.6.1.3, Advanced Edge)... I need mirror, separate and filter traffic from some VLANs between two ports. I create 2 policy files,

P-FLOW1.pol
entry FLOW-TCP-SYN-1 {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port <= 16384;
TCP-flags SYN;
} then {
permit;
}
}
entry FLOW-TCP-SYN-2 {
if {
source-address 0.0.0.0/0;
protocol tcp;
destination-port <= 16384;
TCP-flags SYN;
} then {
permit;
}
}
entry FLOW-ALL-1 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

P-FLOW2.pol
entry FLOW-UDP-PORTS-1 {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 9995 - 9997;
} then {
deny;
}
}
entry FLOW-UDP-PORTS-2 {
if {
source-address 0.0.0.0/0;
protocol udp;
source-port 9995 - 9997;
} then {
deny;
}
}
entry FLOW-ALL-2 {
if {
source-address 0.0.0.0/0;
} then {
permit;
}
}


In config:
enable mirroring to port-list 2, 6 loopback-port 11
configure mirroring add vlan VLAN11
configure mirroring add vlan VLAN12


Mirror traffic across P-FLOW1 must follow to port 2, mirror traffic across P-FLOW2 must follow to port 6. I make

configure access-list P-FLOW1 port 2 egress
but switch get Error: ACL install operation failed - conditions specified in rule "FLOW-TCP-SYN-1" cannot be satisfied by hardware on vlan *, port 2

I need help!... Maybe there is another way to solve the problem?

(from Denis_A.P.)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb

Posted 4 years ago

  • 0
  • 1
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 2 2012 2:41PM

I believe you are re-directing all the traffic to port 2,6 and then you want to filter them based on your ACLs. I am not sure If you can apply any ACLs on the ports that you are mirroring the traffic to (2,6) as they do not belong to any VLAN's. They simply get the mirrored traffic.

I would suggest you use a flow re-direct which would be very helpful in your case instead of mirroring the trafffic. Use the conditions to match the traffic and re-direct the traffic to the desired port.

(from Arpit_Bhatt)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 5 2012 6:57AM

Cisco 65 with Sup720bxl - a great power! And the Extreme... able only to aggregate traffic at L2. Nothing more.

Thanx.

(from Denis_A.P.)
Photo of EtherNation User

EtherNation User, Employee

  • 20,340 Points 20k badge 2x thumb
Create Date: Mar 5 2012 11:41AM

would not agree with that...anways i believe you have resolved the issue with a different switch.

(from Arpit_Bhatt)

This conversation is no longer open for comments or replies.