Layer-2 Protocol Tunneling ACL on X670V

  • 0
  • 1
  • Problem
  • Updated 3 years ago
  • Solved
ExOS is summitX-15.3.1.4-patch1-31

Examples are from ACL Solutions Guide

What is wrong with this ACLs ?

* sw2.g50.kv.38 # edit policy l2pt-cdp-inentry cdp_pdu {
 if {
 ethernet-destination-address 01:00:0c:cc:cc:cc ;
 snap-type 0x2000 ;
 } then {
 replace-ethernet-destination-address 01:00:0c:cd:cd:d0 ;
 count cdp_ingress ;
 }
}

* sw2.g50.kv.39 # edit policy l2pt-cdp-outentry cdp_pdu {
 if {
 ethernet-destination-address 01:00:0c:cd:cd:d0 ;
 snap-type 0x2000 ;
 } then {
 replace-ethernet-destination-address 01:00:0c:cc:cc:cc ;
 count cdp_egress ;
 }
}

* sw2.g50.kv.40 # conf access-list l2pt-cdp-in ports 5 ingress 
Error: ACL install operation failed - vlan *, port 5, rule "cdp_pdu" Invalid parameter (user-defined field (UDF))
* sw2.g50.kv.41 # conf access-list l2pt-cdp-out ports 5 egress 

Error: ACL install operation failed - conditions specified in rule "cdp_pdu" cannot be satisfied by hardware on vlan *, port 5
* sw2.g50.kv.42 # 
Photo of Pavel Koroteev

Pavel Koroteev

  • 250 Points 250 badge 2x thumb

Posted 3 years ago

  • 0
  • 1
Photo of Dorian Perry

Dorian Perry, Employee

  • 2,300 Points 2k badge 2x thumb
Hi Pavel,

snap-type can be used as a match condition for Ingress ACLs only and therefore should be removed from policy l2pt-cdp-outentry.

Also according to https://wiki.wireshark.org/CDP,
The protocol ID of CDP is x2000.
The SNAP value is 0xaa.
(Edited)
Photo of Pavel Koroteev

Pavel Koroteev

  • 250 Points 250 badge 2x thumb
ok, dispite the exmples are from EN official doc, I'll try :D

* sw2.g50.kv.1 # edit policy l2pt-cdp-outentry cdp_pdu {
 if {
 ethernet-destination-address 01:00:0c:cd:cd:d0 ;
# snap-type 0x2000 ;
 } then {
 replace-ethernet-destination-address 01:00:0c:cc:cc:cc ;
 count cdp_egress ;
 }
}


* sw2.g50.kv.2 # conf access-list l2pt-cdp-out ports 5 egress 
.
Error: ACL install operation failed - vlan *, port 5, rule "cdp_pdu" Feature unavailable (rule)
* sw2.g50.kv.3 # 

So, what's next ?
Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,086 Points 10k badge 2x thumb
Hi Pavel,

What model of switch is this?

-Brandon
Photo of Pavel Koroteev

Pavel Koroteev

  • 250 Points 250 badge 2x thumb
System Type:      X670V-48x
Photo of Dorian Perry

Dorian Perry, Employee

  • 2,300 Points 2k badge 2x thumb
Hi Pavel,

At this point it may be time to contact GTAC. The problem appears to be with the action "replace-ethernet-destination-address" as the ACL does not cause an error when this action is removed.

Another option to consider is an EXOS upgrade to the recommended version for the X670 to use Layer 2 Protocol Tunneling.
Read about L2PT (Starting on page 2333)
http://extrcdn.extremenetworks.com/wp-content/uploads/2015/01/ExtremeXOS_15_5_User-Guide.pdf
Photo of Pavel Koroteev

Pavel Koroteev

  • 250 Points 250 badge 2x thumb
So, Is there a chance to transport a PDUs on ExOS 15.3 at x670v switch ?

Upgrade is not suitable.