Rule SrcIPGuard

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)

Image : Extremeware  Version 7.8.4.1 [non-ssh] [base] by Build_Master on 03/18/11 05:48:45

BootROM : 8.2
7i


This started appearing in the logs


03/01/2017 14:31:23.61 <Erro:KERN> ERROR in creating ACL for Addr:10.2.244.225, Port: 4095
03/01/2017 14:31:23.61 <Erro:KERN> Error in creation of IP ACL for IPAddr: 10.2.244.225,Port: X96
03/01/2017 14:31:23.61 <Erro:SYST> ipStaticRuleAdd: Error creating Rule SrcIPGuard-0

More examples:


02/28/2017 09:24:05.55 <Erro:KERN> ERROR in creating ACL for Addr:10.2.244.218, Port: 4095
02/28/2017 09:24:05.55 <Erro:KERN> Error in creation of IP ACL for IPAddr: 10.2.244.218,Port: X96
02/28/2017 09:24:05.55 <Erro:SYST> ipStaticRuleAdd: Error creating Rule SrcIPGuard-0
02/28/2017 08:29:31.56 <Erro:KERN> ERROR in creating ACL for Addr:10.2.245.79, Port: 4095
02/28/2017 08:29:31.56 <Erro:KERN> Error in creation of IP ACL for IPAddr: 10.2.245.79,Port: X96
02/28/2017 08:29:31.56 <Erro:SYST> ipStaticRuleAdd: Error creating Rule SrcIPGuard-0
02/28/2017 07:34:17.57 <Erro:KERN> ERROR in creating ACL for Addr:10.2.245.148, Port: 4095
02/28/2017 07:34:17.57 <Erro:KERN> Error in creation of IP ACL for IPAddr: 10.2.245.148,Port: X96
02/28/2017 07:34:17.57 <Erro:SYST> ipStaticRuleAdd: Error creating Rule SrcIPGuard-0
02/28/2017 07:01:07.56 <Erro:KERN> ERROR in creating ACL for Addr:10.2.245.125, Port: 4095
02/28/2017 07:01:07.56 <Erro:KERN> Error in creation of IP ACL for IPAddr: 10.2.245.125,Port: X96
02/28/2017 07:01:07.56 <Erro:SYST> ipStaticRuleAdd: Error creating Rule SrcIPGuard-0
02/27/2017 12:09:10.74 <Erro:KERN> ERROR in creating ACL for Addr:10.2.244.203, Port: 4095
02/27/2017 12:09:10.74 <Erro:KERN> Error in creation of IP ACL for IPAddr: 10.2.244.203,Port: X96
02/27/2017 12:09:10.74 <Erro:SYST> ipStaticRuleAdd: Error creating Rule SrcIPGuard-0


Secondary question, why would you want the ipfdb ageing time set to never age out? And is the ipfdb table the equivalent of sh mac-address in other worlds?


ty

Photo of Jimmy Sands

Jimmy Sands

  • 432 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Ron Huygens

Ron Huygens, Employee

  • 3,148 Points 3k badge 2x thumb
The Summit 7i and ExtremeWare are completely end-of-life and have absolute no support.
Below is an explanation and possible root cause. That is all we can give you on this platform.

My best guess is that a reboot will solve this.


This is being created by the source-IP-lockdown feature.
So why are we trying to create a source-ip-lockdown ACL?  My guess is they used to have source-ip-lockdown enabled and then disabled it.  Now something remains in memory that is causing us to think it is still enabled.  So when we create the DHCP Client Address on a port we go through this error and fail. 

This is reported by addDhcpClientAddr.  He logs this right after he calls createSrcIPGuardACL and fails.
03/01/2017 14:31:23.61 <Erro:KERN> ERROR in creating ACL for Addr:10.2.244.225, Port: 4095

This is from createSrcIPGuardACL after he calls ipStaticRuleAdd and receives a failure.
03/01/2017 14:31:23.61 <Erro:KERN> Error in creation of IP ACL for IPAddr: 10.2.244.225,Port: X96

This is reported by ipStaticRuleAdd of course and which is what kicks off this whole mess.
03/01/2017 14:31:23.61 <Erro:SYST> ipStaticRuleAdd: Error creating Rule SrcIPGuard-0

I think this error is being triggered by DHCP traffic.  And my guess is we have an issue somewhere in either "addDhcpClientAddr" or the function calling it.
Again, we will not do any further investigation, you may check the settings for source-IP-lockdown.