Header Only - DO NOT REMOVE - Extreme Networks

ACL for add-vlan-id


Userlevel 1
I want to add an ingress ACL to a port that adds a vlan to an untagged traffic. if the traffic is tagged it should add a second vlan. following is my code but somehow i am facing error. is it the right syntax to implement it

entry testing {
if match all {
} then {
permit;
add-vlan-id 51;
}
}

#configure access-list testing ports 4 ingress

23 replies

Userlevel 6
Can you show us the error you are seeing?
Userlevel 6
It's correct, but your switch/version needs to support this ACL action modifier. It came out in 16.1.
Userlevel 1
Stephen Williams wrote:

It's correct, but your switch/version needs to support this ACL action modifier. It came out in 16.1.

it is 21.1.1.4
Userlevel 2
Could you try the following -
entry rule {
if {
vlan-format untagged;
} then {
add-vlan-id 51;
class-id 2;
}
}

I remember encountering this in a case. "Add-Vlan-Id" works with class-id. Also ensure the VLAN ID you are adding is an available VLAN on the ingress and egress ports.
Userlevel 1
Sushruth Sathyamurthy wrote:

Could you try the following -
entry rule {
if {
vlan-format untagged;
} then {
add-vlan-id 51;
class-id 2;
}
}

I remember encountering this in a case. "Add-Vlan-Id" works with class-id. Also ensure the VLAN ID you are adding is an available VLAN on the ingress and egress ports.

What is meant by available Vlan.. its already created if thats what you are asking.. if it means something else could you please explain it:)
Userlevel 1
Sushruth Sathyamurthy wrote:

Could you try the following -
entry rule {
if {
vlan-format untagged;
} then {
add-vlan-id 51;
class-id 2;
}
}

I remember encountering this in a case. "Add-Vlan-Id" works with class-id. Also ensure the VLAN ID you are adding is an available VLAN on the ingress and egress ports.

it works, it seems for ingress ACL class id is needed..thank you for the help Sushruth.. you are awesome 😉
Userlevel 1
Sushruth Sathyamurthy wrote:

Could you try the following -
entry rule {
if {
vlan-format untagged;
} then {
add-vlan-id 51;
class-id 2;
}
}

I remember encountering this in a case. "Add-Vlan-Id" works with class-id. Also ensure the VLAN ID you are adding is an available VLAN on the ingress and egress ports.

Can you also tell me how to remove the vlan on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..
Userlevel 2
Sushruth Sathyamurthy wrote:

Could you try the following -
entry rule {
if {
vlan-format untagged;
} then {
add-vlan-id 51;
class-id 2;
}
}

I remember encountering this in a case. "Add-Vlan-Id" works with class-id. Also ensure the VLAN ID you are adding is an available VLAN on the ingress and egress ports.

If you want to remove and ACL on a port, then the command is -
unconfig access-list ingress/egress
Userlevel 2
Sushruth Sathyamurthy wrote:

Could you try the following -
entry rule {
if {
vlan-format untagged;
} then {
add-vlan-id 51;
class-id 2;
}
}

I remember encountering this in a case. "Add-Vlan-Id" works with class-id. Also ensure the VLAN ID you are adding is an available VLAN on the ingress and egress ports.

Available VLAN means that the VLAN must be added to both the ingress and egress ports.
Userlevel 1
Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)
Userlevel 2
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

I'm not sure I understand this question. Do you want to perform an L2 redirect from one port to another?
Userlevel 1
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

Yes! an untag flow enters on lets say port 1 and should be redirected to lets say port 2.. there should be no tag on the traffic when going in port 1 .. and going out of port 2... how do i do thhis? i thought i could assign an internal vlan.. to route traffic from port 1 to 2 .. but then how do i remove this internal traffic when the traffic is leaving port 2? or is there any other approch to do this?
Userlevel 2
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

https://gtacknowledge.extremenetworks.com/articles/How_To/How-to-configure-Layer-2-PBR

You can use L2 redirect using the redirect-port action modifier. Refer the attached article.
Userlevel 1
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

Could you please explain a bit what does port 3:5 means.. i mean i am using extreme network x670 which has 48 ports.. so i should just mentioned redirect-port lets say 48 right?
Userlevel 2
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

3:5 means slot 3 port 5. This will come into play when using chassis or stacked switches. For a single standalone switch, you can use just the port number.
Userlevel 1
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

I still am not able to redirect the flow from port46 to port 45.i am receiving traffic on port 46 but it is not redirecting it to port 45 as shown in the statistics. can you tell me what am i doing wrong? below is the configuration..

ACL....

entry one {
if match all {
} then {
redirect-port 45;
}
}

* 46 testing2 ingress 1 0

X670V-48x.40 # show ports 45-48 statistics
Port Statistics Thu Mar 29 11:21:56 2018
Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Pkt Rx Pkt Tx Pkt Tx Pkt
State Count Count Count Count Bcast Mcast Bcast Mcast
========= ===== =========== =========== =========== =========== =========== =========== =========== ===========
45 A 0 0 0 0 0 0 0 0
46 A 0 0 1251587 1882386848 0 0 0 0

========= ===== =========== =========== =========== =========== =========== =========== =========== ===========
> in Port indicates Port Display Name truncated past 8 characters
> in Count indicates value exceeds column width. Use 'wide' option or '0' to clear.
Link State: A-Active, R-Ready, NP-Port Not Present L-Loopback
0->Clear Counters U->page up D->page down ESC->exit
Userlevel 2
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

Danial, what sort of traffic is expected in port 46 ingress. Tagged or untagged? Are the VLANs allowed on port 46 also allowed on port 45?
Userlevel 1
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

Yes the vlans are allowed on both the ports.. and untagged traffic is expected on port 46 ingress .
Userlevel 1
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

Any help please?
Userlevel 6
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

It should work. Have you added and removed the ACL? or refresh the policy?
Userlevel 1
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

But it is not working. I have the following configuration.. I am receiving the traffic with no tags nothing just normal Ethernet frames on port 47 but somehow the ACL is not redirecting them port 48. Am I missing something? guys need help?

* X670V-48x.54 # show access-list
Vlan Name Port Policy Name Dir Rules Dyn Rules
================================================================
* 47 testing ingress 1 0

* X670V-48x.55 #vi testing.pol
entry rule {
if match all {
} then {
redirect-port 48
}
}

* X670V-48x.59 # show ports 47-48 statistics
Port Statistics Thu Apr 12 10:09:00 2018
Port Link Tx Pkt Tx Byte Rx Pkt Rx Byte Rx Pkt Rx Pkt Tx Pkt Tx Pkt
State Count Count Count Count Bcast Mcast Bcast Mcast
========= ===== =========== =========== =========== ===========
47 A 0 0 8469676 1084118656 0 0 0 0
48 A 0 0 0 0 0 0 0 0

========= ===== =========== =========== =========== ===========
Userlevel 1
Danial Jalil wrote:

Can you guys tell me how to remove the VLAN on the other side. is there any ACL rule or anything that can remove the added acl on the other port at egress..(what i want to achieve is internal forwarding mechanism for one port to another..but i cannot do that with macs/ips as all macs will be the same)

guys waiting for some help here?
Userlevel 7
If you haven't already, please open a ticket with GTAC to help close this one out.

Reply