Can't find what you need?


• Ask the Community
• Create a Case
Reset Search
 

 

Article

Can CVID and arp-sender-address match conditions be used in the same rule in an ACL?

« Go Back

Information

 
TitleCan CVID and arp-sender-address match conditions be used in the same rule in an ACL?
Question
Can CVID and arp-sender-address match conditions be used in the same rule in an ACL?
Example:

Policy:
entry one {
if match all {
cvid 123;
arp-sender-address 192.168.1.1/32 ;
}
then {
deny ;
}
}

 
Environment
EXOS All
Summit All except x440G2
Answer
User-added image
There are three field selectors used to accomodate ACL match conditions in slices.

Normally, due to hardware ACL field selector usage, these two rules cannot be used in tandem in single-wide mode as they tend to occupy Fields 1 and 3.
You will need to do either of the following 
1. Use ACL double-wide mode

configure access-list width double
This will ensure the field selectors of two slices can be used and will enable the rule to be installed without issues.

2. Add another match condition such as "arp-target-address" in the same rule. When you use another match condition, this will make the total key width required to be more, forcing the ACL rule to occupy “Field 2”. Typically, the F2 field selector is the widest key and hence is able to accommodate the additional key width. This will make sure Field 2 will be used in single-wide mode due to the larger required key width.

 
Additional notes
The same behavior is not seen in x440G2 as the hardware usage for ACLs is a little different than other G2 switches.

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255