VDX-6740(7.3.0aa) - Extended Out/In ACL : not working as expected

pawarpavan — Thu, 13 Jul 2023 12:25:02 GMT

Hello Experts,

I have configured the below ACL , when I apply it "In" direction then it is working as expected

but if I apply the same ACL "out" direction then it drops the traffic for the permitted rule even.

ip access-list extended Extended_Named
seq 10 permit tcp host 192.168.11.4 gt 80 host 192.168.21.4 gt 80
seq 20 permit tcp host 192.168.11.5 lt 70 host 192.168.21.5 lt 70
seq 30 permit tcp host 192.168.11.6 neq 80 host 192.168.21.6 neq 81
seq 40 permit tcp host 192.168.11.7 range 10 20 host 192.168.21.7 range 10 20
exit

If I keep only below a single line in the ACL then it works as per config in both directions (in/out) -

ip access-list extended Extended_Named
seq 10 permit tcp host 192.168.11.4 gt 80 host 192.168.21.4 gt 80

exit

If I keep only below a single line in the ACL then it works as per config in both directions (in/out)-

ip access-list extended Extended_Named
seq 20 permit tcp host 192.168.11.5 lt 70 host 192.168.21.5 lt 70

exit

The combination of "gt" & "lt" is also not working as per config, switch drops the seq 20 traffic when it applies in the "out" direction :

ip access-list extended Extended_Named
seq 10 permit tcp host 192.168.11.4 gt 80 host 192.168.21.4 gt 80
seq 20 permit tcp host 192.168.11.5 lt 70 host 192.168.21.5 lt 70

exit

This is weird behaviour. Please confirm if this is a software bug/defect

Note - If I use "eq" in the port then no issue

-Pavan Pawar

topic VDX-6740(7.3.0aa) - Extended Out/In ACL : not working as expected in Data Center (VDX)

VDX-6740(7.3.0aa) - Extended Out/In ACL : not working as expected