Extreme Networks

vobelic · ‎09-13-2016

I am implementing a tight ACL policy for our storage (NFS) VLAN.
Basically the idea is to allow only needed stuff, and block the rest.

The last drop rule matches EtherType: 0x0030 frames.
What are those? Seems something XOS related.

Stephane_Grosj1 · ‎09-21-2016

Hi,

after some digging, here's the explanation:

For ELRP, if the VLAN is tagged, the EtherType is 0x8100.

If the VLAN is untagged, the 16-bit VLAN header portion is stripped and 0x0030 shows up where EtherType would have been. However, 0x0030 is really the data length, not EtherType.

vobelic · ‎09-21-2016

Just figured out that those frames are actually ELRP configured on sw2.
Now my question is, how to allow elrp and edp frames using ACL?

My setup, two switches connected:

sw1 (x670-48x stacked on 16.1.3.6 patch1-9 with ACL applied on vlan 3226)
and
sw2 (X480-48t on 15.3.1.4 patch1-7)

I've enabled only certain addresses and protocols and finally added at last a drop_all rule on sw1

entry drop_all {
if {
}
then {
count denied-non_nfs;
mirror-cpu;
log;
deny;
}
}

configure access-list storage_nfs vlan "VLAN_3226-STORAGE_NET1_168_226" ingress

Basically logs on sw1 show:
09/21/2016 10:20:12.94 Slot-1: 00:04:96:xx:xx:xx -> 01:04:96:xx:xx:xx EtherType: 0x0030
09/21/2016 10:20:12.94 Slot-1: 66-byte packet from 1:43 (vlanId=3226) matches rule drop_all

the 00:04:96:xx:xx:xx mac is switch sw2.

Henrique · ‎09-21-2016

I have made a quick test creating an ACL to count etype 0x0030 for ELRP enabled uplinks and didn't see any increment.

That's interesting...

vobelic · ‎09-21-2016

I'll try this when i find some spare time.

And it's definitely ELRP, as there are no more entries on sw1 when I disable ELRP on sw2.
Why is it seeing ethertype 0x0030 is another thing...

Extreme Networks

EtherType 0x0030

EtherType 0x0030