[e-nsp] ACL Issue

Changjie changjie81 at gmail.com
Mon Jul 21 21:20:22 EDT 2014


Hello Clayton,

I am thinking of the followings:

1/ Can TORIX shared the MAC address(es) which they detected and blocked?
Good to have the timetamps as well.

2/ I currently not in my office to access my lab switches. If I am not
wrong, we can only count but cannot syslog on both terms?
allowonlybr0 and denyall

3/ Does the issue happen at certain timing of the day? e.g. lunch hours,
off-peak hours, etc

I feel that once we have inputs for Point 1/, we can investigate further.
e.g. insert a term to explicitly deny this MAC, count it n place as 2nd
entry. We can then check with TAC why this MAC doesnt fall into entry
denyall

My 2cents worth.
On 22 Jul, 2014 6:43 am, "Clayton Zekelman" <clayton at mnsi.net> wrote:

>
> Hello,
>
> We're running an Extreme Summit X460-24t 15.3.2.11 as an edge switch
> facing Torix (Toronto Internet Exchange - www.torix.net).
>
> We've been having an issue for quite a while where the Torix switch will
> shut down our port because we're leaking packets with a MAC address other
> than the one we've got registered with the exchange.
>
> We have an outbound ACL on the port:
>
> Policy: torix
> entry allowonlybr0 {
> if match all {
>     ethernet-source-address 00:22:83:32:d7:19 ;
> }
> then {
>     permit  ;
> }
> }
> entry denyall {
> if match all {
>     ethernet-source-address 00:00:00:00:00:00 mask 00:00:00:00:00:00 ;
> }
> then {
>     deny  ;
> }
> }
>
> For some reason, occasionally an ethernet frame with a different source
> MAC address is leaking through the ACL.
>
> After running it up the chain with Extreme's support, their response is:
>
>
> "the cpu-forwarded and cpu-generated packets are not blocked by an Egress
> ACL "
>
>
> This basically makes the switch unusable at Torix, as they auto shut your
> port for 60 minutes if you leak any MAC addresses other than the one you've
> registered.
>
> Anyone have any ideas, or do we just junk all our Extreme switches and
> start over?
>
>
>
>
>
>
> ---
>
> Clayton Zekelman
> Managed Network Systems Inc. (MNSi)
> 3363 Tecumseh Rd. E
> Windsor, Ontario
> N8W 1H4
>
> tel. 519-985-8410
> fax. 519-985-8409
> _______________________________________________
> extreme-nsp mailing list
> extreme-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/extreme-nsp
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/pipermail/extreme-nsp/attachments/20140722/dd787b85/attachment.html>


More information about the extreme-nsp mailing list