EXOS access-list / policy question

  • 0
  • 1
  • Question
  • Updated 3 years ago
  • Answered
For an customer project i use access-list / policy to block VRRP multicast traffic to achieve VRRP Active / Active Situation. i have a X670V with V16.1.2.14 patch 1-4.

To block multicast traffic i have to apply the ACL to the ISC Link - in my setup this is a sharing of 1:49 and 2:49 (40GB Link).

My question is now - why should i have to bind the ACL in both sharing ports (it only works if i bind this in both ports) ?! I expect because this is a sharing link i have only bind this to the config master port ?!

Secondly -  how can i check if a ACL have hits ?

* Slot-1 XXXXXXX.29 # sh access-list counter ingress
* Slot-1 XXXXXXX.29 #
* Slot-1 XXXXXXX.31 # sh access-list counter ports 2:49 ingress
* Slot-1 XXXXXXX.31 #

No Command (which i guess that seems to be correct) does generate any output!

Bug or feature ?

Photo of M.Nees

M.Nees, Embassador

  • 9,958 Points 5k badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Henrique

Henrique, Employee

  • 10,342 Points 10k badge 2x thumb
Hi Matthias, since you are using LAG, the Mcast traffic might be using both links. Therefore, to accomplish the active/active VRRP scenario, the VRRP mcast address should be blocked on both ports (ISC link).

You can see any hit in the ACL by adding a counter into the ACL policy.


entry vrrp-block-rule {
           if {
               destination-address ;
                         } then {
                                deny ;
                                counter matchvrrp;

To check the counter:

show access-list counter (if the ACL is applied on ingress direction)
show access-list counter egress (if the ACL is applied on egress direction)
Photo of M.Nees

M.Nees, Embassador

  • 9,958 Points 5k badge 2x thumb
Thanks Henrique!

Can you explain me why i have to bind the acl not only to the sharing master port ? it only work if i bind it to all ports that belongs to sharing group!

Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 13,676 Points 10k badge 2x thumb
Hi, ACL are LAG agnostic, you need to apply them on each physical ports.