Extreme Networks

AlexanderT · ‎08-12-2015

ExOS is summitX-15.3.1.4-patch1-31

Examples are from ACL Solutions Guide

What is wrong with this ACLs ?

* sw2.g50.kv.38 # edit policy l2pt-cdp-inentry cdp_pdu {
if {
ethernet-destination-address 01:00:0c??cc:cc ;
snap-type 0x2000 ;
} then {
replace-ethernet-destination-address 01:00:0c?cd:d0 ;
count cdp_ingress ;
}
}

* sw2.g50.kv.39 # edit policy l2pt-cdp-outentry cdp_pdu {
if {
ethernet-destination-address 01:00:0c?cd:d0 ;
snap-type 0x2000 ;
} then {
replace-ethernet-destination-address 01:00:0c??cc:cc ;
count cdp_egress ;
}
}

* sw2.g50.kv.40 # conf access-list l2pt-cdp-in ports 5 ingress
Error: ACL install operation failed - vlan *, port 5, rule "cdp_pdu" Invalid parameter (user-defined field (UDF))
* sw2.g50.kv.41 # conf access-list l2pt-cdp-out ports 5 egress

Error: ACL install operation failed - conditions specified in rule "cdp_pdu" cannot be satisfied by hardware on vlan *, port 5
* sw2.g50.kv.42 #

AlexanderT · ‎08-12-2015

ok, dispite the exmples are from EN official doc, I'll try 😄

* sw2.g50.kv.1 # edit policy l2pt-cdp-outentry cdp_pdu {
if {
ethernet-destination-address 01:00:0c?cd:d0 ;
# snap-type 0x2000 ;
} then {
replace-ethernet-destination-address 01:00:0c??cc:cc ;
count cdp_egress ;
}
}

* sw2.g50.kv.2 # conf access-list l2pt-cdp-out ports 5 egress
.
Error: ACL install operation failed - vlan *, port 5, rule "cdp_pdu" Feature unavailable (rule)
* sw2.g50.kv.3 #

So, what's next ?

Dorian_Perry · ‎08-12-2015

Hi Pavel,

snap-type can be used as a match condition for Ingress ACLs only and therefore should be removed from policy l2pt-cdp-outentry.

Also according to https://wiki.wireshark.org/CDP,
The protocol ID of CDP is x2000.
The SNAP value is 0xaa.

Extreme Networks

Layer-2 Protocol Tunneling ACL on X670V

Layer-2 Protocol Tunneling ACL on X670V