This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Egress ACL - many TCP/UDP ports

Egress ACL - many TCP/UDP ports

EtherNation_Use
Contributor II

‎01-07-2014 09:51 PM

Create Date: Feb 26 2012 12:03AM

Hello, friends!

I have some problem with configure my ex670 (EXOS12.6.1.3, Advanced Edge)... I need mirror, separate and filter traffic from some VLANs between two ports. I create 2 policy files,

P-FLOW1.pol
entry FLOW-TCP-SYN-1 {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port <= 16384;
TCP-flags SYN;
} then {
permit;
}
}
entry FLOW-TCP-SYN-2 {
if {
source-address 0.0.0.0/0;
protocol tcp;
destination-port <= 16384;
TCP-flags SYN;
} then {
permit;
}
}
entry FLOW-ALL-1 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}

P-FLOW2.pol
entry FLOW-UDP-PORTS-1 {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 9995 - 9997;
} then {
deny;
}
}
entry FLOW-UDP-PORTS-2 {
if {
source-address 0.0.0.0/0;
protocol udp;
source-port 9995 - 9997;
} then {
deny;
}
}
entry FLOW-ALL-2 {
if {
source-address 0.0.0.0/0;
} then {
permit;
}
}

In config:
enable mirroring to port-list 2, 6 loopback-port 11
configure mirroring add vlan VLAN11
configure mirroring add vlan VLAN12

Mirror traffic across P-FLOW1 must follow to port 2, mirror traffic across P-FLOW2 must follow to port 6. I make

configure access-list P-FLOW1 port 2 egress
but switch get Error: ACL install operation failed - conditions specified in rule "FLOW-TCP-SYN-1" cannot be satisfied by hardware on vlan *, port 2

I need help!... Maybe there is another way to solve the problem?

(from Denis_A.P.)
0 Kudos
3 REPLIES 3

EtherNation_Use
Contributor II

‎01-07-2014 09:51 PM

Create Date: Mar 5 2012 11:41AM

would not agree with that...anways i believe you have resolved the issue with a different switch.

(from Arpit_Bhatt)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 09:51 PM

Create Date: Mar 5 2012 6:57AM

Cisco 65 with Sup720bxl - a great power! And the Extreme... able only to aggregate traffic at L2. Nothing more.

Thanx.

(from Denis_A.P.)
0 Kudos

EtherNation_Use
Contributor II

‎01-07-2014 09:51 PM

Create Date: Mar 2 2012 2:41PM

I believe you are re-directing all the traffic to port 2,6 and then you want to filter them based on your ACLs. I am not sure If you can apply any ACLs on the ports that you are mirroring the traffic to (2,6) as they do not belong to any VLAN's. They simply get the mirrored traffic.

I would suggest you use a flow re-direct which would be very helpful in your case instead of mirroring the trafffic. Use the conditions to match the traffic and re-direct the traffic to the desired port.

(from Arpit_Bhatt)
0 Kudos
GTM-P2G8KFN