What is the line length limit on policy file redirect-port-list command?


Is there a line length limit in ACL policy files, if so what is it?
Is there a line continuation command to allow for longer command lengths?
Is this error trying to tell me something else?

I am getting the following error when I attempt to configure my ingress acces-list:

* Slot-1 Stack.3 # configure access-list x450_fsr_afdx_a vlan afdx_a ingressError: Policy x450_fsr_afdx_a has syntax errors
Line 594 : 1:43,1:25,1:33,1:13,1:41,1:23,1:9,1:11,1:1,1:3,1:19,1:15,1:17,1:5,1:7,1:45,1:27,1:39,1:21,1:31 is too long.

The policy defined at line 594 is: (redirect-port-list command is all on one line, 120 characters long).
entry VL-1180 {
if match all { ethernet-destination-address 03:00:00:00:04:9C; } then { permit; redirect-port-list 1:43,1:25,1:33,1:13,1:41,1:23,1:9,1:11,1:1,1:3,1:19,1:15,1:17,1:5,1:7,1:45,1:27,1:39,1:21,1:31; } } All of the ports listed are in the vlan:
[/code]configure vlan afdx_a add ports 1:1,1:3,1:5,1:7,1:9,1:11,1:13,1:15,1:17,1:19,1:21,1:23,1:25,1:27,1:29,1:31,1:33,1:35,1:37,1:39,1:41,1:43,1:45 untagged

Switch version: Summit-X450-G2-48t-10GE4

* Slot-1 Stack.1 # show version
Slot-1 : 800600-00-03 1531N-42369 Rev 3.0 BootROM: 1.0.2.1 IMG: 21.1.1.4
Slot-2 :
Slot-3 :
Slot-4 :
Slot-5 :
Slot-6 :
Slot-7 :
Slot-8 :

Image : ExtremeXOS version 21.1.1.4 by release-manager
on Mon Mar 7 16:12:04 EST 2016
BootROM : 1.0.2.1
Diagnostics : 5.3

4 replies

Userlevel 6
I am not aware of a maximum line length, but instead of adding every port manually you could use action redirect-vlan (without anything behind it). This will flood the packets to all ports in the vlan.
Your ACL would look like:
entry VL-1180 {
if match all {
ethernet-destination-address 03:00:00:00:04:9C;
} then {
redirect-vlan;
}
}
Userlevel 6
Hi David,

It looks like the redirect-port-list is actually allowing only 64 characters including ;. That is why, we are not able to apply the policy after certain length. We will work internally and see if we increase this length.

1:23,1:9,1:11,1:1,1:3,1:19,1:15,1:17,1:5,1:7,1:45,1:27,1:39,1:21 - This does not work.

1:9,1:11,1:1,1:3,1:19,1:15,1:17,1:5,1:7,1:45,1:27,1:39,1:21 - This works.

It is not a limit with the number of ports but the characters used after the action modifier redirect-port-list.

redirect-port-list 1:1-48;

will certainly work. So, we may need to reduce the number of characters by grouping different ports in a range.

For example, if port 1:4 is not active and not used, instead of writing, 1:3,1:5

we can write 1:3-5 which will reduce the number of characters used.

Hope this helps!
A follow up question, if my vlan is all the odd ports, and I use a redirect-port-list as suggested (i.e. 1:3-5) will port 4 be ignored since it is not included in the vlan?

Also, I did find this statement (I guess erroneous?) in the EXOS_User_Guide_21_1.pdf:

"redirect-port-list port_list—Supports multiple redirect ports as arguments. When used inan ACL, matching packets are now redirected to multiple ports as specified in the ACL while
overriding the default forwarding decision. Maximum number of ports that can be mentioned in this
list is 64. (Summit X450-G2, X460-G2, X670-G2, X770, X440-G2, and X620)."

Thanks, I will give this a try.
Userlevel 6
HI David,

For the follow-up question, if we specify the ports 3-5, the port 4 will not be ignored. Because the redirect-port-list does not take VLAN into consideration.
If the port 4 is not active or not used, then we can use the above suggestion.

Regarding the limits in the characters as reported, I will work with the Engineering and see if this limit can be increased. Will keep this thread updated.

Thanks

Reply