Header Only - DO NOT REMOVE - Extreme Networks

ACL Bug? /17 Supernet

  • 7 January 2014
  • 3 replies

Userlevel 4
Create Date: May 15 2013 10:01AM


i use a Summit x670 with the image ExtremeXOS version

I have made acls for the vlan that i have created on the switch.
The (big) problem is when i made on the end off the rules a deny acl, example

create access-list deny_any " source-address ;" " deny ;" application "Cli"

all acls where have ips or networkaddresses in it doesnt work!

create access-list test_allow_me " source-address ; protocol tcp ; destination-port 80 ;" " permit ;" application "Cli"

Now i have tested this a lot of time and the point is, when i make a rule with a /18 supernet or lower, also /19, /20 .... all acls are working.
All netwrokmask over /18 also /17, /16 ... dont work.

Is this a Firmewarebug?
(from mp)

3 replies

Userlevel 4
Create Date: May 17 2013 11:44AM

hello MP

I have not tested this so not sure although I have not heard about this being a problem until now. I would recommend opening a case with TAC to have them test it in the lab. If it is a bug they can then send it to engineering. I will also try to test when I have a chance which may not be for a week or so.

P (from Paul_Russo)
Userlevel 4
Create Date: Jun 28 2013 6:29PM

I'm experiencing a similar issue:

Everything matches this policy (applied to bgp export direct for ipv6, I've changed the actual addresses for this example), its as if the nlri directive isn't even there:

entry permit-portable-access-nets {
if match any {
nlri fe80🔢8000::/33 min 33 ;
then {
community set "23456:1" ;
permit ;
entry deny-anything-else {
if match all {
then {
deny ;

I tried throwing in a route-origin icmp and changing it to match all to create a condition that shouldn't be true no matter what, but it still permitted the routes. I've opened a TAC case, here's hoping it makes it through to someone who understands the question.

And I've verified that they are matching this policy because if I change the permit right after the community set to a deny and refresh the policy the routes disappear from the transmitted routes table. (from xxiii)
Userlevel 4
Create Date: Aug 22 2013 8:06AM

Were you able to solve the problem? (from shulik)