What is the line length limit on policy file redirect-port-list command?

  • 0
  • 1
  • Question
  • Updated 1 year ago
  • Answered
Is there a line length limit in ACL policy files, if so what is it?
Is there a line continuation command to allow for longer command lengths?
Is this error trying to tell me something else?

I am getting the following error when I attempt to configure my ingress acces-list:

* Slot-1 Stack.3 # configure access-list x450_fsr_afdx_a vlan afdx_a ingressError: Policy x450_fsr_afdx_a has syntax errors
Line 594 : 1:43,1:25,1:33,1:13,1:41,1:23,1:9,1:11,1:1,1:3,1:19,1:15,1:17,1:5,1:7,1:45,1:27,1:39,1:21,1:31 is too long.

The policy defined at line 594 is:  (redirect-port-list command is all on one line, 120 characters long).
entry VL-1180 {
if match all { ethernet-destination-address 03:00:00:00:04:9C; } then { permit; redirect-port-list 1:43,1:25,1:33,1:13,1:41,1:23,1:9,1:11,1:1,1:3,1:19,1:15,1:17,1:5,1:7,1:45,1:27,1:39,1:21,1:31; } } All of the ports listed are in the vlan:
configure vlan afdx_a add ports 1:1,1:3,1:5,1:7,1:9,1:11,1:13,1:15,1:17,1:19,1:21,1:23,1:25,1:27,1:29,1:31,1:33,1:35,1:37,1:39,1:41,1:43,1:45 untagged 

Switch version:  Summit-X450-G2-48t-10GE4

* Slot-1 Stack.1 # show version
Slot-1      : 800600-00-03 1531N-42369 Rev 3.0 BootROM:    IMG:
Slot-2      :
Slot-3      :
Slot-4      :
Slot-5      :
Slot-6      :
Slot-7      :
Slot-8      :

Image   : ExtremeXOS version by release-manager
          on Mon Mar 7 16:12:04 EST 2016
BootROM :
Diagnostics : 5.3
Photo of David Winter

David Winter

  • 80 Points 75 badge 2x thumb

Posted 1 year ago

  • 0
  • 1
Photo of OscarK

OscarK, ESE

  • 7,482 Points 5k badge 2x thumb
I am not aware of a maximum line length, but instead of adding every port manually you could use action redirect-vlan (without anything behind it). This will flood the packets to all ports in the vlan.
Your ACL would look like:
entry VL-1180 {
     if match all {
        ethernet-destination-address 03:00:00:00:04:9C;
     } then {
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
Hi David,

It looks like the redirect-port-list is actually allowing only 64 characters including ;. That is why, we are not able to apply the policy after certain length. We will work internally and see if we increase this length.

1:23,1:9,1:11,1:1,1:3,1:19,1:15,1:17,1:5,1:7,1:45,1:27,1:39,1:21 -  This does not work.

1:9,1:11,1:1,1:3,1:19,1:15,1:17,1:5,1:7,1:45,1:27,1:39,1:21 - This works.

It is not a limit with the number of ports but the characters used after the action modifier redirect-port-list.

redirect-port-list 1:1-48;

will certainly work. So, we may need to reduce the number of characters by grouping different ports in a range.

For example, if port 1:4 is not active and not used, instead of writing, 1:3,1:5

we can write 1:3-5 which will reduce the number of characters used.

Hope this helps!

Photo of David Winter

David Winter

  • 80 Points 75 badge 2x thumb
A follow up question, if my vlan is all the odd ports, and I use a redirect-port-list as suggested (i.e. 1:3-5) will port 4 be ignored since it is not included in the vlan?

Also, I did find this statement (I guess erroneous?) in the EXOS_User_Guide_21_1.pdf:

"redirect-port-list port_list—Supports multiple redirect ports as arguments. When used inan ACL, matching packets are now redirected to multiple ports as specified in the ACL while
overriding the default forwarding decision. Maximum number of ports that can be mentioned in this
list is 64. (Summit X450-G2, X460-G2, X670-G2, X770, X440-G2, and X620)."

Thanks, I will give this a try.
Photo of Prashanth KG

Prashanth KG, Employee

  • 5,300 Points 5k badge 2x thumb
HI David,

For the follow-up question, if we specify the ports 3-5, the port 4 will not be ignored. Because the redirect-port-list does not take VLAN into consideration.
If the port 4 is not active or not used, then we can use the above suggestion.

Regarding the limits in the characters as reported, I will work with the Engineering and see if this limit can be increased. Will keep this thread updated.