topic RE: VMAN + ACL in ExtremeSwitching (EXOS/Switch Engine)

VMAN + ACL

Alexandr_P — Tue, 12 Apr 2016 16:21:00 GMT

Hello!

Have scheme:
Cisco (vman tag) -> (port24 vman tag) Extreme X440 ( port 23 vman untag) -> CheckPoint
BUT CheckPoint work in passive mode (only receive traffic), also I can't see MAC of CheckPoint, so traffic don't go to port 23 (X440 don't know whom send it)

May be ACL with action But for what vlan/port I have to map this ACL?

Thank you!

RE: VMAN + ACL

Henrique — Tue, 12 Apr 2016 17:58:00 GMT

Hi Alexandr, what about creating an static FDB/ARP entry pointing to the checkpoint?

RE: VMAN + ACL

Alexandr_P — Tue, 12 Apr 2016 18:03:00 GMT

In this case to this port only will be forwarded traffic which have MAC-dst is Checkpoint, but I need all traffic have to be forwarded there.

For now I think 2 variants:
1- to do mirror, like:
#create mirror test3001

#configure mirror add vlan Int3001

#enable mirror to port 21

2- to do ACL, with match condition vlan-id (is present in EXOS 15.7), and some variants of actions:

redirect-name name—Specifies the name of the flow-redirect that must be used to redirect matching traffic.

redirect-port port—Overrides the forwarding decision and changes the egress port used.

mirror—Rules that contain mirror as an action modifier will use a separate slice.

What is your thoughts about this points?

Thank you!

RE: VMAN + ACL

Henrique — Tue, 12 Apr 2016 18:03:00 GMT

Do you want to redirect all traffic (all vlans) or an specific vlan?

If you want to redirect an specific vlan traffic then I believe you should use "cvid" match-condition to match the inner-Vlan ID and then "redirect-port 21"

Regarding the mirroring, I'm not sure if there is any limitation when mirroring an inner-vlan. A lab might be good to confirm that.

RE: VMAN + ACL

Necheporenko__N — Tue, 12 Apr 2016 18:03:00 GMT

configure access-list redirect-all ports 24 ingress
Policy: redirect-all
entry one {
if match all {
vlan-id 77 # vman outer tag }
then {
permit ;
count all ;
redirect-port 23 ;
}
}
Number of clients bound to policy: 1

RE: VMAN + ACL

Alexandr_P — Tue, 12 Apr 2016 18:03:00 GMT

Hello, Nikolay!

I need to redirect unpacked vlan (vlan without outer vman tag)

Thank you!

RE: VMAN + ACL

Jarek — Tue, 12 Apr 2016 18:05:00 GMT

Did you try disable learning vman VmanName ?

--
Jarek

RE: VMAN + ACL

Alexandr_P — Tue, 12 Apr 2016 18:05:00 GMT

You think in this case all traffic will be directly forward to port 23?

RE: VMAN + ACL

Jarek — Tue, 12 Apr 2016 18:05:00 GMT

Hi , Sorry for delay. Yes it should send all traffic from vman to port 23. I have tested with vlan and it works. I think with vman will be the same behavior. -- Jarek