cancel
Showing results for 
Search instead for 
Did you mean: 

EXOS access-list / policy question

EXOS access-list / policy question

M_Nees
Contributor III
For an customer project i use access-list / policy to block VRRP multicast traffic to achieve VRRP Active / Active Situation. i have a X670V with V16.1.2.14 patch 1-4.

To block multicast traffic i have to apply the ACL to the ISC Link - in my setup this is a sharing of 1:49 and 2:49 (40GB Link).

My question is now - why should i have to bind the ACL in both sharing ports (it only works if i bind this in both ports) ?! I expect because this is a sharing link i have only bind this to the config master port ?!

Secondly - how can i check if a ACL have hits ?

* Slot-1 XXXXXXX.29 # sh access-list counter ingress
* Slot-1 XXXXXXX.29 #
* Slot-1 XXXXXXX.31 # sh access-list counter ports 2:49 ingress
* Slot-1 XXXXXXX.31 #

No Command (which i guess that seems to be correct) does generate any output!

Bug or feature ?

Regards

3 REPLIES 3

Stephane_Grosj1
Extreme Employee
Hi, ACL are LAG agnostic, you need to apply them on each physical ports.

M_Nees
Contributor III
Thanks Henrique!

Can you explain me why i have to bind the acl not only to the sharing master port ? it only work if i bind it to all ports that belongs to sharing group!

Regards

Henrique
Extreme Employee
Hi Matthias, since you are using LAG, the Mcast traffic might be using both links. Therefore, to accomplish the active/active VRRP scenario, the VRRP mcast address should be blocked on both ports (ISC link).

You can see any hit in the ACL by adding a counter into the ACL policy.

Example:

entry vrrp-block-rule {
if {
destination-address 224.0.0.18/32 ;
} then {
deny ;
counter matchvrrp;
}
}

To check the counter:

show access-list counter (if the ACL is applied on ingress direction)
show access-list counter egress (if the ACL is applied on egress direction)
GTM-P2G8KFN