[e-nsp] ACL Issue

[Jarek Kasjaniuk]

W dniu 22.07.2014 16:28, Clayton Zekelman pisze:
> 
> 
> I don't have the info myself, but I can get it from the person who opened the ticket with Extreme when he gets back in the office later today.  I do know that multiple MAC addresses have leaked from various parts of our network, and the times are
> variable (sometimes in the middle of the night, sometimes during the afternoon, etc..)
> 
> Torix has given us packet captures which we've forwarded to TAC.  TAC said that the ACLs don't block all CPU forwarded or generated packets, and this is expected behavior, so there is no resolution.
> 
> Their suggestion was to put another switch between us and Torix, with another ACL in order to filter the traffic....
> 
> I suspect they're going to close our ticket at this point.    This is a real pain, as we have 10 of the Summit switches and two Black Diamond switches set up in a ring.  Changing to a new vendor is expensive and time consuming.
>

Hello Clayton,

I think the main point is this info -> "all CPU forwarded or generated packets".

Can you share the config for this port or vlan's on this port ? Maybe a network topology ?

You can check also this bellow:

1) By default on all port exteme has edp enabled - disable edp port all if you don't use it

2) Do you use CDP, STP ? By default this is disabled in exos

3) By default IGMP is running  in all vlans - if you don't use it disable igmp vlan x , disable igmp snooping vlan x , disable igmp proxy-query vlan x, configure igmp router-alert transmit off vlan off

4) If you have configured an IP address in Thorix vlan, probably switch  send an ARP packets (they are  generated by CPU)


Best regards
-- 
Jarek Kasjaniuk