Egress ACL - many TCP/UDP ports
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:51 PM
Create Date: Feb 26 2012 12:03AM
Hello, friends!
I have some problem with configure my ex670 (EXOS12.6.1.3, Advanced Edge)... I need mirror, separate and filter traffic from some VLANs between two ports. I create 2 policy files,
P-FLOW1.pol
entry FLOW-TCP-SYN-1 {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port <= 16384;
TCP-flags SYN;
} then {
permit;
}
}
entry FLOW-TCP-SYN-2 {
if {
source-address 0.0.0.0/0;
protocol tcp;
destination-port <= 16384;
TCP-flags SYN;
} then {
permit;
}
}
entry FLOW-ALL-1 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}
P-FLOW2.pol
entry FLOW-UDP-PORTS-1 {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 9995 - 9997;
} then {
deny;
}
}
entry FLOW-UDP-PORTS-2 {
if {
source-address 0.0.0.0/0;
protocol udp;
source-port 9995 - 9997;
} then {
deny;
}
}
entry FLOW-ALL-2 {
if {
source-address 0.0.0.0/0;
} then {
permit;
}
}
In config:
enable mirroring to port-list 2, 6 loopback-port 11
configure mirroring add vlan VLAN11
configure mirroring add vlan VLAN12
Mirror traffic across P-FLOW1 must follow to port 2, mirror traffic across P-FLOW2 must follow to port 6. I make
configure access-list P-FLOW1 port 2 egress
but switch get Error: ACL install operation failed - conditions specified in rule "FLOW-TCP-SYN-1" cannot be satisfied by hardware on vlan *, port 2
I need help!... Maybe there is another way to solve the problem?
(from Denis_A.P.)
Hello, friends!
I have some problem with configure my ex670 (EXOS12.6.1.3, Advanced Edge)... I need mirror, separate and filter traffic from some VLANs between two ports. I create 2 policy files,
P-FLOW1.pol
entry FLOW-TCP-SYN-1 {
if {
source-address 0.0.0.0/0;
protocol tcp;
source-port <= 16384;
TCP-flags SYN;
} then {
permit;
}
}
entry FLOW-TCP-SYN-2 {
if {
source-address 0.0.0.0/0;
protocol tcp;
destination-port <= 16384;
TCP-flags SYN;
} then {
permit;
}
}
entry FLOW-ALL-1 {
if {
source-address 0.0.0.0/0;
} then {
deny;
}
}
P-FLOW2.pol
entry FLOW-UDP-PORTS-1 {
if {
source-address 0.0.0.0/0;
protocol udp;
destination-port 9995 - 9997;
} then {
deny;
}
}
entry FLOW-UDP-PORTS-2 {
if {
source-address 0.0.0.0/0;
protocol udp;
source-port 9995 - 9997;
} then {
deny;
}
}
entry FLOW-ALL-2 {
if {
source-address 0.0.0.0/0;
} then {
permit;
}
}
In config:
enable mirroring to port-list 2, 6 loopback-port 11
configure mirroring add vlan VLAN11
configure mirroring add vlan VLAN12
Mirror traffic across P-FLOW1 must follow to port 2, mirror traffic across P-FLOW2 must follow to port 6. I make
configure access-list P-FLOW1 port 2 egress
but switch get Error: ACL install operation failed - conditions specified in rule "FLOW-TCP-SYN-1" cannot be satisfied by hardware on vlan *, port 2
I need help!... Maybe there is another way to solve the problem?
(from Denis_A.P.)
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:51 PM
Create Date: Mar 5 2012 11:41AM
would not agree with that...anways i believe you have resolved the issue with a different switch.
(from Arpit_Bhatt)
would not agree with that...anways i believe you have resolved the issue with a different switch.
(from Arpit_Bhatt)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:51 PM
Create Date: Mar 5 2012 6:57AM
Cisco 65 with Sup720bxl - a great power! And the Extreme... able only to aggregate traffic at L2. Nothing more.
Thanx.
(from Denis_A.P.)
Cisco 65 with Sup720bxl - a great power! And the Extreme... able only to aggregate traffic at L2. Nothing more.
Thanx.
(from Denis_A.P.)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎01-07-2014 09:51 PM
Create Date: Mar 2 2012 2:41PM
I believe you are re-directing all the traffic to port 2,6 and then you want to filter them based on your ACLs. I am not sure If you can apply any ACLs on the ports that you are mirroring the traffic to (2,6) as they do not belong to any VLAN's. They simply get the mirrored traffic.
I would suggest you use a flow re-direct which would be very helpful in your case instead of mirroring the trafffic. Use the conditions to match the traffic and re-direct the traffic to the desired port.
(from Arpit_Bhatt)
I believe you are re-directing all the traffic to port 2,6 and then you want to filter them based on your ACLs. I am not sure If you can apply any ACLs on the ports that you are mirroring the traffic to (2,6) as they do not belong to any VLAN's. They simply get the mirrored traffic.
I would suggest you use a flow re-direct which would be very helpful in your case instead of mirroring the trafffic. Use the conditions to match the traffic and re-direct the traffic to the desired port.
(from Arpit_Bhatt)
