<p dir="ltr">Hello Clayton, </p>
<p dir="ltr">I am thinking of the followings:</p>
<p dir="ltr">1/ Can TORIX shared the MAC address(es) which they detected and blocked? Good to have the timetamps as well. </p>
<p dir="ltr">2/ I currently not in my office to access my lab switches. If I am not wrong, we can only count but cannot syslog on both terms? <br>
allowonlybr0 and denyall</p>
<p dir="ltr">3/ Does the issue happen at certain timing of the day? e.g. lunch hours, off-peak hours, etc</p>
<p dir="ltr">I feel that once we have inputs for Point 1/, we can investigate further. <br>
e.g. insert a term to explicitly deny this MAC, count it n place as 2nd entry. We can then check with TAC why this MAC doesnt fall into entry denyall<br></p>
<p dir="ltr">My 2cents worth. </p>
<div class="gmail_quote">On 22 Jul, 2014 6:43 am, "Clayton Zekelman" <<a href="mailto:clayton@mnsi.net">clayton@mnsi.net</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
Hello,<br>
<br>
We're running an Extreme Summit X460-24t 15.3.2.11 as an edge switch facing Torix (Toronto Internet Exchange - <a href="http://www.torix.net" target="_blank">www.torix.net</a>).<br>
<br>
We've been having an issue for quite a while where the Torix switch will shut down our port because we're leaking packets with a MAC address other than the one we've got registered with the exchange.<br>
<br>
We have an outbound ACL on the port:<br>
<br>
Policy: torix<br>
entry allowonlybr0 {<br>
if match all {<br>
ethernet-source-address 00:22:83:32:d7:19 ;<br>
}<br>
then {<br>
permit ;<br>
}<br>
}<br>
entry denyall {<br>
if match all {<br>
ethernet-source-address 00:00:00:00:00:00 mask 00:00:00:00:00:00 ;<br>
}<br>
then {<br>
deny ;<br>
}<br>
}<br>
<br>
For some reason, occasionally an ethernet frame with a different source MAC address is leaking through the ACL.<br>
<br>
After running it up the chain with Extreme's support, their response is:<br>
<br>
<br>
"the cpu-forwarded and cpu-generated packets are not blocked by an Egress ACL "<br>
<br>
<br>
This basically makes the switch unusable at Torix, as they auto shut your port for 60 minutes if you leak any MAC addresses other than the one you've registered.<br>
<br>
Anyone have any ideas, or do we just junk all our Extreme switches and start over?<br>
<br>
<br>
<br>
<br>
<br>
<br>
---<br>
<br>
Clayton Zekelman<br>
Managed Network Systems Inc. (MNSi)<br>
3363 Tecumseh Rd. E<br>
Windsor, Ontario<br>
N8W 1H4<br>
<br>
tel. <a href="tel:519-985-8410" value="+15199858410" target="_blank">519-985-8410</a><br>
fax. <a href="tel:519-985-8409" value="+15199858409" target="_blank">519-985-8409</a> <br>
______________________________<u></u>_________________<br>
extreme-nsp mailing list<br>
<a href="mailto:extreme-nsp@puck.nether.net" target="_blank">extreme-nsp@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/extreme-nsp" target="_blank">https://puck.nether.net/<u></u>mailman/listinfo/extreme-nsp</a><br>
</blockquote></div>