This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ACL Bug? /17 Supernet

ACL Bug? /17 Supernet

EtherNation_Use
Contributor II

‎01-07-2014 10:02 PM

Create Date: May 15 2013 10:01AM

Hi,

i use a Summit x670 with the image ExtremeXOS version 15.2.2.7.

I have made acls for the vlan that i have created on the switch.
The (big) problem is when i made on the end off the rules a deny acl, example

create access-list deny_any " source-address 0.0.0.0/0 ;" " deny ;" application "Cli"

all acls where have ips or networkaddresses in it doesnt work!

Example:
create access-list test_allow_me " source-address 10.1.1.1/32 ; protocol tcp ; destination-port 80 ;" " permit ;" application "Cli"

Now i have tested this a lot of time and the point is, when i make a rule with a /18 supernet or lower, also /19, /20 .... all acls are working.
All netwrokmask over /18 also /17, /16 ... dont work.

Is this a Firmewarebug?
(from mp)
0 Kudos
3 REPLIES 3

EtherNation_Use
Contributor II

‎01-07-2014 10:02 PM

Create Date: Aug 22 2013 8:06AM

Were you able to solve the problem? (from shulik)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 10:02 PM

Create Date: Jun 28 2013 6:29PM

I'm experiencing a similar issue:

Everything matches this policy (applied to bgp export direct for ipv6, I've changed the actual addresses for this example), its as if the nlri directive isn't even there:

entry permit-portable-access-nets {
if match any {
nlri fe80?8000::/33 min 33 ;
}
then {
community set "23456:1" ;
permit ;
}
}
entry deny-anything-else {
if match all {
}
then {
deny ;
}
}

I tried throwing in a route-origin icmp and changing it to match all to create a condition that shouldn't be true no matter what, but it still permitted the routes. I've opened a TAC case, here's hoping it makes it through to someone who understands the question.

And I've verified that they are matching this policy because if I change the permit right after the community set to a deny and refresh the policy the routes disappear from the transmitted routes table. (from xxiii)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 10:02 PM

Create Date: May 17 2013 11:44AM

hello MP

I have not tested this so not sure although I have not heard about this being a problem until now. I would recommend opening a case with TAC to have them test it in the lab. If it is a bug they can then send it to engineering. I will also try to test when I have a chance which may not be for a week or so.

P (from Paul_Russo)
0 Kudos
GTM-P2G8KFN