[acl] Add ACL rules to allow BGP traffic#796
[acl] Add ACL rules to allow BGP traffic#796liat-grozovik merged 1 commit intosonic-net:masterfrom wangxin:acl-rules
Conversation
The current set of ACL rules will block BGP traffic. All the routes learned via BGP will timeout after the ACL rules are loaded. Then there is no route for the PTF injected packets. Packets accepted by ACL rules would not be forwarded anyway. This update is to add two ACL rules to allow BGP traffic. Signed-off-by: Xin Wang <[email protected]>
stcheng
left a comment
stcheng
left a comment
There was a problem hiding this comment.
Why this was not the case before? I wonder if COPP rule already allows BGP traffic to get trapped into CPU?
|
@andriymoroz-mlnx can you review as well and reply to the question above? was there a change which cause it or this somehow missed? |
|
Previously we did not have egress ACLs and did not send traffic through the switch. |
|
@stcheng ACL rules are handled earlier than trap. At least this is the design of Mellanox platform. When the PTF script is executed, IP routes learned via BGP may have not expired yet. That's the reason sometimes the PTF script can pass. However, the PTF script always failed after switch rebooted with ACL rules saved in config DB according to test results of my side. Not sure how the script results from your side look like. |
|
So if the ACLs are applied, the BGP sessions will be expired? Is that the case? |
|
@andriymoroz-mlnx is this the case only for egress ACLs or both ingress ACLs and egress ACLs? |
|
@stcheng Yes, BGP sessions will be expired if the ACLs are applied. I think it is the same case for both ingress and egress ACLs. |
|
which rule is blocking the bgp traffic, can you identify? it looks like you added the bgp rule as the end, usually it means the lowest priority, then how do we expect the rule take effect? |
|
@lguohan The DEFAULT_RULE blocks all IP traffic. It is automatically created when adding any ACL rule. And its priority is always the lowest, lower than the BGP rules I added. |
|
@lguohan can you please review? we would like to have the ACL test back into the daily regression and it is currently not passing |
The current set of ACL rules will block BGP traffic. All the routes learned via BGP will timeout after the ACL rules are loaded. Then there is no route for the PTF injected packets. Packets accepted by ACL rules would not be forwarded anyway. This update is to add two ACL rules to allow BGP traffic. Signed-off-by: Xin Wang <[email protected]>
|
Made to 201811 branch on 2/28/2019 |
6 participants
The current set of ACL rules will block BGP traffic. All the routes
learned via BGP will timeout after the ACL rules are loaded. Then
there is no route for the PTF injected packets. Packets accepted by
ACL rules would not be forwarded anyway. This update is to add two
ACL rules to allow BGP traffic.
Signed-off-by: Xin Wang [email protected]
Description of PR
Summary:
Fixes # (issue)
The current set of ACL rules will block BGP traffic. All the routes
learned via BGP will timeout after the ACL rules are loaded. Then
there is no route for the PTF injected packets. Packets accepted by
ACL rules would not be forwarded anyway. This update is to add two
ACL rules to allow BGP traffic.
Type of change
Approach
How did you do it?
Add two ACL rules to always alow BGP traffic.
How did you verify/test it?
Tested on Mellanox platform.
Any platform specific information?
Supported testbed topology if it's a new test case?
Documentation