topic RE: how can I create a access-list on egress to allow only a few vlans inside a vman ? drop all doesnt work too in ExtremeSwitching (EXOS/Switch Engine)

how can I create a access-list on egress to allow only a few vlans inside a vman ? drop all doesnt work too

Immo_Wetzel — Tue, 13 Mar 2018 00:02:00 GMT

HI,
my target is to allow only a few vlans from a vman to exit a specific port.

example port 1, 2 and 3 at untagged in vman 2000.
all traffic from 1 should be forwarded to 2 and vice versa. only vlan 100 and 102 should be forwarded to port 3.. I do not know the vlans inserted into port 1 and 2 except 100 and 102 therefore the vman untagged idea.

to start I tried a deny all rule on port 3
docu say egress rule:
denyAll.pol
entry DenyAllEgress{
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}but after
configure access-list denyAll ports 3 egress
still all traffic is visible at port 3 and also on the next switch...

Whats the fault and whats the solution ?

RE: how can I create a access-list on egress to allow only a few vlans inside a vman ? drop all doesnt work too

BrandonC — Tue, 13 Mar 2018 01:10:00 GMT

Hi Immo,

It sounds like what you want to do is configure port 3 as a customer edge port, allowing inner tags 100 and 102 only.

For example,
configure vman add port 3 cep cvid 100 configure vman add port 3 cep cvid 102You can see more info on this at the link below:
https://documentation.extremenetworks.com/exos_commands_22.4/EXOS_21_1/EXOS_Commands_All/r_configure...

RE: how can I create a access-list on egress to allow only a few vlans inside a vman ? drop all doesnt work too

Immo_Wetzel — Tue, 13 Mar 2018 01:10:00 GMT

ok but how about untagged and vlan 0 traffic ?