Extreme Networks

Pawel_Eljasz · ‎01-31-2019

hi everyone,

On my vdx 6740 vcs fabric with NOS 7.3.0aa I'm trying to understand ACLs, I'm testing this one:

code:

ip access-list deny_10-5-8-1 on Ve 4 at Ingress (From User)
    seq 10 permit ip host 10.5.8.49 host 10.5.8.81 (Active)
    seq 20 deny udp any host 10.5.8.254 (Active)
    seq 30 deny tcp any host 10.5.8.254 (Active)
    seq 40 deny ip any host 10.5.8.254 (Active)
    seq 50 deny ip any host 10.5.8.81 (Active)
    seq 60 permit ip any any (Active)

VE's runs with 10.5.8.254 and all the hosts/nodes connected to VCS fabric can get to this IP, no problems.
Traffic to 10.5.8.81 gets denied, as expected.

Why traffic to VE's 10.5.8.254 is not denied???
Many thanks.

Sargis_Minasyan · ‎01-31-2019

Hi Pawel,

You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.

Many thanks,
Sargis

View solution in original post

Sargis_Minasyan · ‎02-01-2019

I don't really know, possibly different ways of programming the ASICs with hard-drop telling it not to trap the packets to CPU.

Pawel_Eljasz · ‎02-01-2019

But out curiosity - what is the rationale behind this logic?
Why not the same nomenclature for all?

Pawel_Eljasz · ‎02-01-2019

simplify  & many thanks.

Sargis_Minasyan · ‎01-31-2019

Hi Pawel,

You need to use "hard-drop" instead of "deny" for the packets that go to the control plane/VDX own addresses.

Many thanks,
Sargis

Extreme Networks

VE's are resilient to ACLs - by design or it's a gigantic flaw?

VE's are resilient to ACLs - by design or it's a gigantic flaw?