topic how deep the packet can be analysed for acl execution in ExtremeSwitching (EXOS/Switch Engine)

how deep the packet can be analysed for acl execution

Immo_Wetzel — Wed, 05 Jun 2019 17:06:00 GMT

The ACL Solutions Guide wrote:

Once a packet comes into the ingress ACL stage, the field parser breaks the packet into importantfields. There are too many to list here, but a short list could include Layer 2, 3, and 4 fields, MAC source,MAC destination, IP source, IP destination, Layer 4 ports, VLAN ID, outer VLAN, inner VLAN, outerpriority bits, inner priority bits, protocol, TCP flags, etc., as well as metadata that is passed in the packetfrom forwarding database lookups.

but how deep packet will be anaylsed to separate the target and source ip ?
Cos I do have to allow all frames from a specific mac except if the ip (src/dest) is a specific one or the protocol is igmp and the frame can be triple vlan tagged with three stacked 0x8100 tags.

Will it work ? Do you have an example ?

Re: how deep the packet can be analysed for acl execution

Matthew_Hum — Thu, 11 Jul 2019 10:04:33 GMT

I'm not sure on which device you have and are using, but there is a precedence on traffic classification rules. This is from an old Policy manager manual I have, but unfortunately in your case, MAC is the first rule to hit. Also I'm not sure that we can identify triple TPIDs.

it sounds like you need something really custom for this.

Re: how deep the packet can be analysed for acl execution

Tomasz — Fri, 12 Jul 2019 02:57:55 GMT

Hi Immo, Matthew,

Since 30.2 in EXOS there is a new feature, seems to get expanded over time, Classification Rule Precedence Re-ordering for Policy, with MAC, IPv6, IPv4, and Layer2 as options at the moment. Please see the release notes: https://documentation.extremenetworks.com/release_notes/ExtremeXOS/30.2/downloads/GUID-239F0B67-21C6-4460-88BE-99289275F8C1.pdf

Hope that helps,
Tomasz