topic RE: ACL Bug? /17 Supernet in ExtremeSwitching (EXOS/Switch Engine)

ACL Bug? /17 Supernet

EtherNation_Use — Wed, 08 Jan 2014 06:02:00 GMT

Create Date: May 15 2013 10:01AM

Hi,

i use a Summit x670 with the image ExtremeXOS version 15.2.2.7.

I have made acls for the vlan that i have created on the switch.
The (big) problem is when i made on the end off the rules a deny acl, example

create access-list deny_any " source-address 0.0.0.0/0 ;" " deny ;" application "Cli"

all acls where have ips or networkaddresses in it doesnt work!

Example:
create access-list test_allow_me " source-address 10.1.1.1/32 ; protocol tcp ; destination-port 80 ;" " permit ;" application "Cli"

Now i have tested this a lot of time and the point is, when i make a rule with a /18 supernet or lower, also /19, /20 .... all acls are working.
All netwrokmask over /18 also /17, /16 ... dont work.

Is this a Firmewarebug?
(from mp)

RE: ACL Bug? /17 Supernet

EtherNation_Use — Wed, 08 Jan 2014 06:02:00 GMT

Create Date: May 17 2013 11:44AM

hello MP

I have not tested this so not sure although I have not heard about this being a problem until now. I would recommend opening a case with TAC to have them test it in the lab. If it is a bug they can then send it to engineering. I will also try to test when I have a chance which may not be for a week or so.

P (from Paul_Russo)

RE: ACL Bug? /17 Supernet

EtherNation_Use — Wed, 08 Jan 2014 06:02:00 GMT

Create Date: Jun 28 2013 6:29PM

I'm experiencing a similar issue:

Everything matches this policy (applied to bgp export direct for ipv6, I've changed the actual addresses for this example), its as if the nlri directive isn't even there:

entry permit-portable-access-nets {
if match any {
nlri fe80?8000::/33 min 33 ;
}
then {
community set "23456:1" ;
permit ;
}
}
entry deny-anything-else {
if match all {
}
then {
deny ;
}
}

I tried throwing in a route-origin icmp and changing it to match all to create a condition that shouldn't be true no matter what, but it still permitted the routes. I've opened a TAC case, here's hoping it makes it through to someone who understands the question.

And I've verified that they are matching this policy because if I change the permit right after the community set to a deny and refresh the policy the routes disappear from the transmitted routes table. (from xxiii)

RE: ACL Bug? /17 Supernet

EtherNation_Use — Wed, 08 Jan 2014 06:02:00 GMT

Create Date: Aug 22 2013 8:06AM

Were you able to solve the problem? (from shulik)