Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. extreme
ACL Issue
clayton at MNSi
Jul 21, 2014, 3:39 PM
Post #1 of 4 (3554 views)
Permalink
Hello,

We're running an Extreme Summit X460-24t 15.3.2.11 as an edge switch
facing Torix (Toronto Internet Exchange - www.torix.net).

We've been having an issue for quite a while where the Torix switch
will shut down our port because we're leaking packets with a MAC
address other than the one we've got registered with the exchange.

We have an outbound ACL on the port:

Policy: torix
entry allowonlybr0 {
if match all {
ethernet-source-address 00:22:83:32:d7:19 ;
}
then {
permit ;
}
}
entry denyall {
if match all {
ethernet-source-address 00:00:00:00:00:00 mask 00:00:00:00:00:00 ;
}
then {
deny ;
}
}

For some reason, occasionally an ethernet frame with a different
source MAC address is leaking through the ACL.

After running it up the chain with Extreme's support, their response is:


"the cpu-forwarded and cpu-generated packets are not blocked by an Egress ACL "


This basically makes the switch unusable at Torix, as they auto shut
your port for 60 minutes if you leak any MAC addresses other than the
one you've registered.

Anyone have any ideas, or do we just junk all our Extreme switches
and start over?






---

Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4

tel. 519-985-8410
fax. 519-985-8409

_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp
Re: ACL Issue [ In reply to ]
changjie81 at gmail
Jul 21, 2014, 6:20 PM
Post #2 of 4 (3494 views)
Permalink
Hello Clayton,

I am thinking of the followings:

1/ Can TORIX shared the MAC address(es) which they detected and blocked?
Good to have the timetamps as well.

2/ I currently not in my office to access my lab switches. If I am not
wrong, we can only count but cannot syslog on both terms?
allowonlybr0 and denyall

3/ Does the issue happen at certain timing of the day? e.g. lunch hours,
off-peak hours, etc

I feel that once we have inputs for Point 1/, we can investigate further.
e.g. insert a term to explicitly deny this MAC, count it n place as 2nd
entry. We can then check with TAC why this MAC doesnt fall into entry
denyall

My 2cents worth.
On 22 Jul, 2014 6:43 am, "Clayton Zekelman" <clayton@mnsi.net> wrote:

>
> Hello,
>
> We're running an Extreme Summit X460-24t 15.3.2.11 as an edge switch
> facing Torix (Toronto Internet Exchange - www.torix.net).
>
> We've been having an issue for quite a while where the Torix switch will
> shut down our port because we're leaking packets with a MAC address other
> than the one we've got registered with the exchange.
>
> We have an outbound ACL on the port:
>
> Policy: torix
> entry allowonlybr0 {
> if match all {
> ethernet-source-address 00:22:83:32:d7:19 ;
> }
> then {
> permit ;
> }
> }
> entry denyall {
> if match all {
> ethernet-source-address 00:00:00:00:00:00 mask 00:00:00:00:00:00 ;
> }
> then {
> deny ;
> }
> }
>
> For some reason, occasionally an ethernet frame with a different source
> MAC address is leaking through the ACL.
>
> After running it up the chain with Extreme's support, their response is:
>
>
> "the cpu-forwarded and cpu-generated packets are not blocked by an Egress
> ACL "
>
>
> This basically makes the switch unusable at Torix, as they auto shut your
> port for 60 minutes if you leak any MAC addresses other than the one you've
> registered.
>
> Anyone have any ideas, or do we just junk all our Extreme switches and
> start over?
>
>
>
>
>
>
> ---
>
> Clayton Zekelman
> Managed Network Systems Inc. (MNSi)
> 3363 Tecumseh Rd. E
> Windsor, Ontario
> N8W 1H4
>
> tel. 519-985-8410
> fax. 519-985-8409
> _______________________________________________
> extreme-nsp mailing list
> extreme-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/extreme-nsp
>
Re: ACL Issue [ In reply to ]
clayton at MNSi
Jul 22, 2014, 7:28 AM
Post #3 of 4 (3486 views)
Permalink
I don't have the info myself, but I can get it
from the person who opened the ticket with
Extreme when he gets back in the office later
today. I do know that multiple MAC addresses
have leaked from various parts of our network,
and the times are variable (sometimes in the
middle of the night, sometimes during the afternoon, etc..)

Torix has given us packet captures which we've
forwarded to TAC. TAC said that the ACLs don't
block all CPU forwarded or generated packets, and
this is expected behavior, so there is no resolution.

Their suggestion was to put another switch
between us and Torix, with another ACL in order to filter the traffic....

I suspect they're going to close our ticket at
this point. This is a real pain, as we have 10
of the Summit switches and two Black Diamond
switches set up in a ring. Changing to a new
vendor is expensive and time consuming.


At 09:20 PM 21/07/2014, Changjie wrote:

>Hello Clayton,
>
>I am thinking of the followings:
>
>1/ Can TORIX shared the MAC address(es) which
>they detected and blocked? Good to have the timetamps as well.
>
>2/ I currently not in my office to access my lab
>switches. If I am not wrong, we can only count
>but cannot syslog on both terms?
>allowonlybr0 and denyall
>
>3/ Does the issue happen at certain timing of
>the day? e.g. lunch hours, off-peak hours, etc
>
>I feel that once we have inputs for Point 1/, we can investigate further.
>e.g. insert a term to explicitly deny this MAC,
>count it n place as 2nd entry. We can then check
>with TAC why this MAC doesnt fall into entry denyall
>
>My 2cents worth.
>On 22 Jul, 2014 6:43 am, "Clayton Zekelman"
><<mailto:clayton@mnsi.net>clayton@mnsi.net> wrote:
>
>Hello,
>
>We're running an Extreme Summit X460-24t
>15.3.2.11 as an edge switch facing Torix
>(Toronto Internet Exchange - <http://www.torix.net>www.torix.net).
>
>We've been having an issue for quite a while
>where the Torix switch will shut down our port
>because we're leaking packets with a MAC address
>other than the one we've got registered with the exchange.
>
>We have an outbound ACL on the port:
>
>Policy: torix
>entry allowonlybr0 {
>if match all {
>Â Â ethernet-source-address 00:22:83:32:d7:19 ;
>}
>then {
>  permit  ;
>}
>}
>entry denyall {
>if match all {
>Â Â ethernet-source-address 00:00:00:00:00:00 mask 00:00:00:00:00:00 ;
>}
>then {
>  deny  ;
>}
>}
>
>For some reason, occasionally an ethernet frame
>with a different source MAC address is leaking through the ACL.
>
>After running it up the chain with Extreme's support, their response is:
>
>
>"the cpu-forwarded and cpu-generated packets are
>not blocked by an Egress ACL "
>
>
>This basically makes the switch unusable at
>Torix, as they auto shut your port for 60
>minutes if you leak any MAC addresses other than the one you've registered.
>
>Anyone have any ideas, or do we just junk all
>our Extreme switches and start over?
>
>
>
>
>
>
>---
>
>Clayton Zekelman
>Managed Network Systems Inc. (MNSi)
>3363 Tecumseh Rd. E
>Windsor, Ontario
>N8W 1H4
>
>tel. <tel:519-985-8410>519-985-8410
>fax. <tel:519-985-8409>519-985-8409 Â Â Â Â
>_______________________________________________
>extreme-nsp mailing list
><mailto:extreme-nsp@puck.nether.net>extreme-nsp@puck.nether.net
>https://puck.nether.net/mailman/listinfo/extreme-nsp

---

Clayton Zekelman
Managed Network Systems Inc. (MNSi)
3363 Tecumseh Rd. E
Windsor, Ontario
N8W 1H4

tel. 519-985-8410
fax. 519-985-8409
Re: ACL Issue [ In reply to ]
jarek.kasjaniuk at gmail
Jul 23, 2014, 4:39 PM
Post #4 of 4 (3488 views)
Permalink
W dniu 22.07.2014 16:28, Clayton Zekelman pisze:
>
>
> I don't have the info myself, but I can get it from the person who opened the ticket with Extreme when he gets back in the office later today. I do know that multiple MAC addresses have leaked from various parts of our network, and the times are
> variable (sometimes in the middle of the night, sometimes during the afternoon, etc..)
>
> Torix has given us packet captures which we've forwarded to TAC. TAC said that the ACLs don't block all CPU forwarded or generated packets, and this is expected behavior, so there is no resolution.
>
> Their suggestion was to put another switch between us and Torix, with another ACL in order to filter the traffic....
>
> I suspect they're going to close our ticket at this point. This is a real pain, as we have 10 of the Summit switches and two Black Diamond switches set up in a ring. Changing to a new vendor is expensive and time consuming.
>

Hello Clayton,

I think the main point is this info -> "all CPU forwarded or generated packets".

Can you share the config for this port or vlan's on this port ? Maybe a network topology ?

You can check also this bellow:

1) By default on all port exteme has edp enabled - disable edp port all if you don't use it

2) Do you use CDP, STP ? By default this is disabled in exos

3) By default IGMP is running in all vlans - if you don't use it disable igmp vlan x , disable igmp snooping vlan x , disable igmp proxy-query vlan x, configure igmp router-alert transmit off vlan off

4) If you have configured an IP address in Thorix vlan, probably switch send an ARP packets (they are generated by CPU)


Best regards
--
Jarek Kasjaniuk

_______________________________________________
extreme-nsp mailing list
extreme-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/extreme-nsp

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal