Extreme Networks

M_Nees · ‎03-01-2016

For an customer project i use access-list / policy to block VRRP multicast traffic to achieve VRRP Active / Active Situation. i have a X670V with V16.1.2.14 patch 1-4.

To block multicast traffic i have to apply the ACL to the ISC Link - in my setup this is a sharing of 1:49 and 2:49 (40GB Link).

My question is now - why should i have to bind the ACL in both sharing ports (it only works if i bind this in both ports) ?! I expect because this is a sharing link i have only bind this to the config master port ?!

Secondly - how can i check if a ACL have hits ?

* Slot-1 XXXXXXX.29 # sh access-list counter ingress
* Slot-1 XXXXXXX.29 #
* Slot-1 XXXXXXX.31 # sh access-list counter ports 2:49 ingress
* Slot-1 XXXXXXX.31 #

No Command (which i guess that seems to be correct) does generate any output!

Bug or feature ?

Regards

Stephane_Grosj1 · ‎03-01-2016

Hi, ACL are LAG agnostic, you need to apply them on each physical ports.

M_Nees · ‎03-01-2016

Thanks Henrique!

Can you explain me why i have to bind the acl not only to the sharing master port ? it only work if i bind it to all ports that belongs to sharing group!

Regards

Henrique · ‎03-01-2016

Hi Matthias, since you are using LAG, the Mcast traffic might be using both links. Therefore, to accomplish the active/active VRRP scenario, the VRRP mcast address should be blocked on both ports (ISC link).

You can see any hit in the ACL by adding a counter into the ACL policy.

Example:

entry vrrp-block-rule {
if {
destination-address 224.0.0.18/32 ;
} then {
deny ;
counter matchvrrp;
}
}

To check the counter:

show access-list counter (if the ACL is applied on ingress direction)
show access-list counter egress (if the ACL is applied on egress direction)

Extreme Networks

EXOS access-list / policy question

EXOS access-list / policy question