https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-access-list-policy-question/m-p/17931#M673 For an customer project i use access-list / policy to block VRRP multicast traffic to achieve VRRP Active / Active Situation. i have a X670V with V16.1.2.14 patch 1-4.<BR /> <BR /> To block multicast traffic i have to apply the ACL to the ISC Link - in my setup this is a sharing of 1:49 and 2:49 (40GB Link).<BR /> <BR /> My question is now - why should i have to bind the ACL in both sharing ports (it only works if i bind this in both ports) ?! I expect because this is a sharing link i have only bind this to the config master port ?!<BR /> <BR /> Secondly - how can i check if a ACL have hits ?<BR /> <BR /> * Slot-1 XXXXXXX.29 # sh access-list counter ingress<BR /> * Slot-1 XXXXXXX.29 #<BR /> * Slot-1 XXXXXXX.31 # sh access-list counter ports 2:49 ingress<BR /> * Slot-1 XXXXXXX.31 #<BR /> <BR /> No Command (which i guess that seems to be correct) does generate any output!<BR /> <BR /> Bug or feature ?<BR /> <BR /> Regards<BR /> <BR /> Tue, 01 Mar 2016 20:00:00 GMT M_Nees 2016-03-01T20:00:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-access-list-policy-question/m-p/17931#M673 For an customer project i use access-list / policy to block VRRP multicast traffic to achieve VRRP Active / Active Situation. i have a X670V with V16.1.2.14 patch 1-4.<BR /> <BR /> To block multicast traffic i have to apply the ACL to the ISC Link - in my setup this is a sharing of 1:49 and 2:49 (40GB Link).<BR /> <BR /> My question is now - why should i have to bind the ACL in both sharing ports (it only works if i bind this in both ports) ?! I expect because this is a sharing link i have only bind this to the config master port ?!<BR /> <BR /> Secondly - how can i check if a ACL have hits ?<BR /> <BR /> * Slot-1 XXXXXXX.29 # sh access-list counter ingress<BR /> * Slot-1 XXXXXXX.29 #<BR /> * Slot-1 XXXXXXX.31 # sh access-list counter ports 2:49 ingress<BR /> * Slot-1 XXXXXXX.31 #<BR /> <BR /> No Command (which i guess that seems to be correct) does generate any output!<BR /> <BR /> Bug or feature ?<BR /> <BR /> Regards<BR /> <BR /> Tue, 01 Mar 2016 20:00:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-access-list-policy-question/m-p/17931#M673 M_Nees 2016-03-01T20:00:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-access-list-policy-question/m-p/17932#M674 Hi Matthias, since you are using LAG, the Mcast traffic might be using both links. Therefore, to accomplish the active/active VRRP scenario, the VRRP mcast address should be blocked on both ports (ISC link).<BR /> <BR /> You can see any hit in the ACL by adding a counter into the ACL policy.<BR /> <BR /> <U>Example:</U><BR /> <BR /> <I>entry vrrp-block-rule {</I><BR /> <I> if {</I><BR /> <I> destination-address 224.0.0.18/32 ;</I><BR /> <I> } then {</I><BR /> <I> deny ;<BR /> </I><B> counter matchvrrp;</B><BR /> <I> }</I><BR /> <I>}<BR /> </I><BR /> <U>To check the counter:</U><BR /> <BR /> <I>show access-list counter (if the ACL is applied on ingress direction)<BR /> </I><I>show access-list counter egress (if the ACL is applied on egress direction)</I><I><BR /> </I> Tue, 01 Mar 2016 20:51:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-access-list-policy-question/m-p/17932#M674 Henrique 2016-03-01T20:51:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-access-list-policy-question/m-p/17933#M675 Thanks Henrique!<BR /> <BR /> Can you explain me why i have to bind the acl not only to the sharing master port ? it only work if i bind it to all ports that belongs to sharing group!<BR /> <BR /> Regards<BR /> Tue, 01 Mar 2016 22:27:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-access-list-policy-question/m-p/17933#M675 M_Nees 2016-03-01T22:27:00Z https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-access-list-policy-question/m-p/17934#M676 Hi, ACL are LAG agnostic, you need to apply them on each physical ports.<BR /> Tue, 01 Mar 2016 22:45:00 GMT https://community.extremenetworks.com/t5/extremeswitching-exos-switch/exos-access-list-policy-question/m-p/17934#M676 Stephane_Grosj1 2016-03-01T22:45:00Z