ACL on VLAN in VRF (flex-uni)

jeronimo — Wed, 01 Oct 2025 18:38:37 GMT

So we have a flex-uni port on one switch, with i-sid mapped to VLAN on another which is routing the traffic (in a dedicated VR).

All of that works, now the question is, how do I filter it, on the routing switch i.e. assign an access control list to it?

So ingress swithc has the flex-uni port

interface gi 1/1 flex-uni enable i-sid 12345 untagged port 1/1

The routing switch uses

vlan i-sid 99 12345 interface vlan 99 vrf router1 ... i-sid 12345 c-vid 567 port 1/25 # i.e. there's also a flex-uni for with that i-sid on the routing switch (in case that's important)

I tried

filter acl 101 type inVlan name "ipv4 and arp only" filter acl vlan 101 99 filter acl ace 101 11 name "allow ipv4" filter acl ace action 101 11 permit count filter acl ace ethernet 101 11 ether-type eq ip filter acl ace 101 11 enable

But counters stay at 0.
I also tried dropping some traffic but that didn't work.
Leading me to the conclusion that I'm missing something basic.

This seems to easy to fail 😉 Please advise.

Platform is 5520, FE 9.0

Re: ACL on VLAN in VRF (flex-uni)

Roger_Lapuh — Fri, 03 Oct 2025 08:58:37 GMT

did you try inVSN filter instead?

Re: ACL on VLAN in VRF (flex-uni)

jeronimo — Fri, 03 Oct 2025 09:19:11 GMT

Not yet. Usually I don't try random things but would like to understand why one doesn't work and something else must be chosen.

topic Re: ACL on VLAN in VRF (flex-uni) in ExtremeSwitching (VSP/Fabric Engine)

ACL on VLAN in VRF (flex-uni)

Re: ACL on VLAN in VRF (flex-uni)

Re: ACL on VLAN in VRF (flex-uni)