[e-nsp] ACL Issue
Clayton Zekelman
clayton at MNSi.Net
Mon Jul 21 18:39:48 EDT 2014
Hello,
We're running an Extreme Summit X460-24t 15.3.2.11 as an edge switch
facing Torix (Toronto Internet Exchange - www.torix.net).
We've been having an issue for quite a while where the Torix switch
will shut down our port because we're leaking packets with a MAC
address other than the one we've got registered with the exchange.
We have an outbound ACL on the port:
Policy: torix
entry allowonlybr0 {
if match all {
ethernet-source-address 00:22:83:32:d7:19 ;
}
then {
permit ;
}
}
entry denyall {
if match all {
ethernet-source-address 00:00:00:00:00:00 mask 00:00:00:00:00:00 ;
}
then {
deny ;
}
}
For some reason, occasionally an ethernet frame with a different
source MAC address is leaking through the ACL.
After running it up the chain with Extreme's support, their response is:
"the cpu-forwarded and cpu-generated packets are not blocked by an Egress ACL "
This basically makes the switch unusable at Torix, as they auto shut
your port for 60 minutes if you leak any MAC addresses other than the
one you've registered.
Anyone have any ideas, or do we just junk all our Extreme switches
and start over?
---
Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4
tel. 519-985-8410
fax. 519-985-8409
More information about the extreme-nsp
mailing list