Reset Search
 

 

Article

ACL when applied Ingress on a VLAN, IP forwarded traffic internally considered as ingress 

« Go Back

Information

 
TitleACL when applied Ingress on a VLAN, IP forwarded traffic internally considered as ingress 
Symptoms
ACL when applied Ingress on a VLAN, IP forwarded traffic internally considered as ingress and the policy gets applied. This behavior is noticed only when Ingress and Egress ports are on same slot but on different Units. No issues noticed when ingress and egress ports are on same slot and same unit or on different slots. 
 
Environment
  • All EXOS
  • All Hardware 
  • MLAG configured
Cause
The reported behavior appears only with MLAG configuration in the switch. ACLs capability are enabled on HighGig ports of BCM units in which MLAG ports are configured. Once this capability is enabled, the ACLs configured over vlan is applied for HighGig ports as well. 
Resolution
It is confirmed that the behavior seen is expected and have to workaround with the ACL rules which is appropriate to the customers requirement. For example, in my case, customer had following ACL rule:

entry acl_2{
if {
    source-address 210.117.130.177/32;
    
} then {
    permit;
    count c2;
}
}
entry Any_Deny{
if {
    source-address 0.0.0.0/0;

} then {
    deny;
    count c11;
}
}

When the above rule is applied to a VLAN as ingress which is part of the subnet mentioned in the permit rule and we try to initiate a connectivity to a device on different VLAN, connection gets refused. Since for the return traffic after IP forwarding is performed, traffic is considered ingress and the policy configured on the VLAN gets applied causing the packets to hit the deny rule as the policy doesn't have the rule for permitting the other network. 

As a workaround in order to overcome the ACL being applied to the hihg gig links, policy could be re-modified as below:

entry acl_2 {
if match all {
    source-address 210.117.130.177/32 ;
    source-physical-port-list 1:1-48,2:1-48,3:1-48,4:1-48 ;
}
then {
    permit  ;
    count c2 ;
}

 
Additional notes

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255