Layer-2 Protocol Tunneling ACL on X670V


ExOS is summitX-15.3.1.4-patch1-31

Examples are from ACL Solutions Guide

What is wrong with this ACLs ?

* sw2.g50.kv.38 # edit policy l2pt-cdp-inentry cdp_pdu {
if {
ethernet-destination-address 01:00:0c🇨🇨cc:cc ;
snap-type 0x2000 ;
} then {
replace-ethernet-destination-address 01:00:0c💿cd:d0 ;
count cdp_ingress ;
}
}

* sw2.g50.kv.39 # edit policy l2pt-cdp-outentry cdp_pdu {
if {
ethernet-destination-address 01:00:0c💿cd:d0 ;
snap-type 0x2000 ;
} then {
replace-ethernet-destination-address 01:00:0c🇨🇨cc:cc ;
count cdp_egress ;
}
}

* sw2.g50.kv.40 # conf access-list l2pt-cdp-in ports 5 ingress
Error: ACL install operation failed - vlan *, port 5, rule "cdp_pdu" Invalid parameter (user-defined field (UDF))
* sw2.g50.kv.41 # conf access-list l2pt-cdp-out ports 5 egress

Error: ACL install operation failed - conditions specified in rule "cdp_pdu" cannot be satisfied by hardware on vlan *, port 5
* sw2.g50.kv.42 #

6 replies

Userlevel 4
Hi Pavel,

snap-type can be used as a match condition for Ingress ACLs only and therefore should be removed from policy l2pt-cdp-outentry.

Also according to https://wiki.wireshark.org/CDP,
The protocol ID of CDP is x2000.
The SNAP value is 0xaa.
ok, dispite the exmples are from EN official doc, I'll try 😃

* sw2.g50.kv.1 # edit policy l2pt-cdp-outentry cdp_pdu {
if {
ethernet-destination-address 01:00:0c💿cd:d0 ;
# snap-type 0x2000 ;
} then {
replace-ethernet-destination-address 01:00:0c🇨🇨cc:cc ;
count cdp_egress ;
}
}

* sw2.g50.kv.2 # conf access-list l2pt-cdp-out ports 5 egress
.
Error: ACL install operation failed - vlan *, port 5, rule "cdp_pdu" Feature unavailable (rule)
* sw2.g50.kv.3 #

So, what's next ?
Userlevel 7
Hi Pavel,

What model of switch is this?

-Brandon
System Type: X670V-48x
Userlevel 4
Hi Pavel,

At this point it may be time to contact GTAC. The problem appears to be with the action "replace-ethernet-destination-address" as the ACL does not cause an error when this action is removed.

Another option to consider is an EXOS upgrade to the recommended version for the X670 to use Layer 2 Protocol Tunneling.
Read about L2PT (Starting on page 2333)
http://extrcdn.extremenetworks.com/wp-content/uploads/2015/01/ExtremeXOS_15_5_User-Guide.pdf
So, Is there a chance to transport a PDUs on ExOS 15.3 at x670v switch ?

Upgrade is not suitable.

Reply