topic RE: ARP and ACLs in ExtremeSwitching (EXOS/Switch Engine)

ARP and ACLs

EtherNation_Use — Wed, 08 Jan 2014 06:04:00 GMT

Create Date: Aug 7 2013 12:45PM

Hi

trying to put an acl on the core switch for a vlan this seems to be blocking traffic between machines on the same vlan. as they are sending out arp requests which aren't answered. do i need an entry to allow arp ? please help

entry c_pc_to_rdp {
if {
source-address 172.16.100.0/22;
destination-address 10.10.115.0/24;
protocol tcp;
destination-port 3389;
} then {
permit;
}
}

entry default_allow_out {
if {
source-address 10.10.115.0/24;
} then {
permit;
}
}

entry default_deny {
if {
} then {
deny;
}
}

(from Conrad_Jones)

RE: ARP and ACLs

EtherNation_Use — Wed, 08 Jan 2014 06:04:00 GMT

Create Date: Aug 16 2013 12:10PM

Hello conradjones

i am not exactly sure what you want to achieve but the reason the arp packets are being dropped is because you have the deny all in the ACL. If you need a packet to get through then you need to put a permit into the file. If a packet hits an entry in the policy file then it will exit the acl and it hit the final deny.

hope that makes sense.

p (from Paul_Russo)

RE: ARP and ACLs

EtherNation_Use — Wed, 08 Jan 2014 06:04:00 GMT

Create Date: Aug 18 2013 10:24AM

thanks prusso

previous testing showed arp worked without needing that in the ACL, but i have a good idea why now. probably the core switch had the acl on and arp was fine between two devices on an edge switch but the acl was still blocking inter-vlan traffic as that was passing through the core to be routed. OR it was inter-vm traffic which wasn't hitting the physical switch as the VMs were on the same host.

conrad (from Conrad_Jones)