VMAN + ACL


Userlevel 6
Hello!

Have scheme:
Cisco (vman tag) -> (port24 vman tag) Extreme X440 ( port 23 vman untag) -> CheckPoint
BUT CheckPoint work in passive mode (only receive traffic), also I can't see MAC of CheckPoint, so traffic don't go to port 23 (X440 don't know whom send it)

May be ACL with action But for what vlan/port I have to map this ACL?

Thank you!

8 replies

Userlevel 6
Hi Alexandr, what about creating an static FDB/ARP entry pointing to the checkpoint?
Userlevel 6
In this case to this port only will be forwarded traffic which have MAC-dst is Checkpoint, but I need all traffic have to be forwarded there.

For now I think 2 variants:
1- to do mirror, like:
#create mirror test3001

#configure mirror add vlan Int3001

#enable mirror to port 21

2- to do ACL, with match condition vlan-id (is present in EXOS 15.7), and some variants of actions:

redirect-name name—Specifies the name of the flow-redirect that must be used to redirect matching traffic.

redirect-port port—Overrides the forwarding decision and changes the egress port used.

mirror—Rules that contain mirror as an action modifier will use a separate slice.

What is your thoughts about this points?

Thank you!
Userlevel 6
Alexandr P wrote:

In this case to this port only will be forwarded traffic which have MAC-dst is Checkpoint, but I need all traffic have to be forwarded there.

For now I think 2 variants:
1- to do mirror, like:
#create mirror test3001

#configure mirror add vlan Int3001

#enable mirror to port 21

2- to do ACL, with match condition vlan-id (is present in EXOS 15.7), and some variants of actions:

redirect-name name—Specifies the name of the flow-redirect that must be used to redirect matching traffic.

redirect-port port—Overrides the forwarding decision and changes the egress port used.

mirror—Rules that contain mirror as an action modifier will use a separate slice.

What is your thoughts about this points?

Thank you!

Do you want to redirect all traffic (all vlans) or an specific vlan?

If you want to redirect an specific vlan traffic then I believe you should use "cvid" match-condition to match the inner-Vlan ID and then "redirect-port 21"

Regarding the mirroring, I'm not sure if there is any limitation when mirroring an inner-vlan. A lab might be good to confirm that.
Userlevel 4
Alexandr P wrote:

In this case to this port only will be forwarded traffic which have MAC-dst is Checkpoint, but I need all traffic have to be forwarded there.

For now I think 2 variants:
1- to do mirror, like:
#create mirror test3001

#configure mirror add vlan Int3001

#enable mirror to port 21

2- to do ACL, with match condition vlan-id (is present in EXOS 15.7), and some variants of actions:

redirect-name name—Specifies the name of the flow-redirect that must be used to redirect matching traffic.

redirect-port port—Overrides the forwarding decision and changes the egress port used.

mirror—Rules that contain mirror as an action modifier will use a separate slice.

What is your thoughts about this points?

Thank you!

configure access-list redirect-all ports 24 ingress
Policy: redirect-all
entry one {
if match all {
vlan-id 77 # vman outer tag }
then {
permit ;
count all ;
redirect-port 23 ;
}
}
Number of clients bound to policy: 1[/code]
Userlevel 6
Alexandr P wrote:

In this case to this port only will be forwarded traffic which have MAC-dst is Checkpoint, but I need all traffic have to be forwarded there.

For now I think 2 variants:
1- to do mirror, like:
#create mirror test3001

#configure mirror add vlan Int3001

#enable mirror to port 21

2- to do ACL, with match condition vlan-id (is present in EXOS 15.7), and some variants of actions:

redirect-name name—Specifies the name of the flow-redirect that must be used to redirect matching traffic.

redirect-port port—Overrides the forwarding decision and changes the egress port used.

mirror—Rules that contain mirror as an action modifier will use a separate slice.

What is your thoughts about this points?

Thank you!

Hello, Nikolay!

I need to redirect unpacked vlan (vlan without outer vman tag)

Thank you!
Userlevel 3
Did you try disable learning vman VmanName ?

--
Jarek
Userlevel 6
Jarek wrote:

Did you try disable learning vman VmanName ?

--
Jarek

You think in this case all traffic will be directly forward to port 23?
Userlevel 3
Jarek wrote:

Did you try disable learning vman VmanName ?

--
Jarek

Hi , Sorry for delay. Yes it should send all traffic from vman to port 23. I have tested with vlan and it works. I think with vman will be the same behavior. -- Jarek

Reply