EXOS access-list / policy question
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-01-2016 12:00 PM
For an customer project i use access-list / policy to block VRRP multicast traffic to achieve VRRP Active / Active Situation. i have a X670V with V16.1.2.14 patch 1-4.
To block multicast traffic i have to apply the ACL to the ISC Link - in my setup this is a sharing of 1:49 and 2:49 (40GB Link).
My question is now - why should i have to bind the ACL in both sharing ports (it only works if i bind this in both ports) ?! I expect because this is a sharing link i have only bind this to the config master port ?!
Secondly - how can i check if a ACL have hits ?
* Slot-1 XXXXXXX.29 # sh access-list counter ingress
* Slot-1 XXXXXXX.29 #
* Slot-1 XXXXXXX.31 # sh access-list counter ports 2:49 ingress
* Slot-1 XXXXXXX.31 #
No Command (which i guess that seems to be correct) does generate any output!
Bug or feature ?
Regards
To block multicast traffic i have to apply the ACL to the ISC Link - in my setup this is a sharing of 1:49 and 2:49 (40GB Link).
My question is now - why should i have to bind the ACL in both sharing ports (it only works if i bind this in both ports) ?! I expect because this is a sharing link i have only bind this to the config master port ?!
Secondly - how can i check if a ACL have hits ?
* Slot-1 XXXXXXX.29 # sh access-list counter ingress
* Slot-1 XXXXXXX.29 #
* Slot-1 XXXXXXX.31 # sh access-list counter ports 2:49 ingress
* Slot-1 XXXXXXX.31 #
No Command (which i guess that seems to be correct) does generate any output!
Bug or feature ?
Regards
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-01-2016 02:45 PM
Hi, ACL are LAG agnostic, you need to apply them on each physical ports.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-01-2016 02:27 PM
Thanks Henrique!
Can you explain me why i have to bind the acl not only to the sharing master port ? it only work if i bind it to all ports that belongs to sharing group!
Regards
Can you explain me why i have to bind the acl not only to the sharing master port ? it only work if i bind it to all ports that belongs to sharing group!
Regards
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎03-01-2016 12:51 PM
Hi Matthias, since you are using LAG, the Mcast traffic might be using both links. Therefore, to accomplish the active/active VRRP scenario, the VRRP mcast address should be blocked on both ports (ISC link).
You can see any hit in the ACL by adding a counter into the ACL policy.
Example:
entry vrrp-block-rule {
if {
destination-address 224.0.0.18/32 ;
} then {
deny ;
counter matchvrrp;
}
}
To check the counter:
show access-list counter (if the ACL is applied on ingress direction)
show access-list counter egress (if the ACL is applied on egress direction)
You can see any hit in the ACL by adding a counter into the ACL policy.
Example:
entry vrrp-block-rule {
if {
destination-address 224.0.0.18/32 ;
} then {
deny ;
counter matchvrrp;
}
}
To check the counter:
show access-list counter (if the ACL is applied on ingress direction)
show access-list counter egress (if the ACL is applied on egress direction)
