topic RE: extreme summit IP access-list on L2 Vlan? in ExtremeSwitching (EXOS/Switch Engine)

extreme summit IP access-list on L2 Vlan?

Gabriel_Poza — Mon, 02 Jul 2018 16:02:00 GMT

Dear community
i wonder if it's possible to configure an access list on the extreme summit x620-16x for entering L2 traffic (no L3 configured on the switch for this vlan) in order to deny several IP source networks on that vlan.
Thx in advance.BRGabriel.

RE: extreme summit IP access-list on L2 Vlan?

BradP — Mon, 02 Jul 2018 19:35:00 GMT

Hi Gabriel,
Yes this is possible. An EXOS switch doesn't have to have an IP address on the VLAN in order for IP based ACLs to function.
Thank you,Brad

RE: extreme summit IP access-list on L2 Vlan?

Gabriel_Poza — Mon, 02 Jul 2018 19:48:00 GMT

Thanks a lot Brad!Do you know if this have a considerable impact on the switch itself or any hot topic to consider when configuring it?BRGabriel.

RE: extreme summit IP access-list on L2 Vlan?

BradP — Mon, 02 Jul 2018 19:54:00 GMT

Hi Gabriel,
I'll refer you to the supported limits for ACLs in the EXOS 22.5 Release Note. The link can be found here: https://documentation.extremenetworks.com/release_notes/ExtremeXOS/22.5/ExtremeXOS_22.5_RelNotes.pdf
ACLs themselves are done in hardware, although the action modifier (for instance: redirect, mirror-cpu, replace-dscp, etc.) will have some CPU impact if used too aggressively.
Thanks
Brad

RE: extreme summit IP access-list on L2 Vlan?

Gabriel_Poza — Mon, 16 Jul 2018 14:44:00 GMT

Hi again,

i'm having some trouble configuring the policy file.... The goal is to permit several IP subnets on an ingress port while deny the rest. This is the way i'm trying to do it:

#1 configure policy file
vi PERMIT-Customersubnets.pol

entry PERMIT-Customersubnets {
if match any {
source-address a.b.c.d/16;
source-address e.f.g.h/24;
source-address i.j.k.l/24;
.
.
.
}
then {
count test;
permit;
}

else{
deny}
}
#2 check policy

check policy PERMIT-ORANGE-CUSTOMER-ONLY
Policy file check successful.
#3 configure access-list

configure access-list PERMIT-ORANGE-CUSTOMER-ONLY ports 2 ingress

i have the following error:
Error: Policy PERMIT-Customersubnets has syntax errors
Line 4 : Attribute source-address already exists as a match statement in Acl entry PERMIT-Customersubnets.
so ven ethe policy file seems ok, i still have errors when applying the ACL
so my 2 questions are: is it possible to configure the match-any even the policy file is being called by an access-list (i have some doubts about the 'match any' statement on the documentation)?. an the other one is about the source-address repeated objects syntax.
Thx a lotBR

RE: extreme summit IP access-list on L2 Vlan?

Gabriel_Poza — Tue, 17 Jul 2018 17:29:00 GMT