[Dual-ToR] handle 'mux_tunnel_egress_acl' attrib in order to change ACL configuration (drop on ingress/egress) on standby ToR#2646
Merged
liat-grozovik merged 1 commit intosonic-net:masterfrom Mar 1, 2023
Conversation
ayurkiv-nvda
force-pushed
the
upstream_acl_ingress_master
branch
from
13b27d7 to
e2acc5f
Compare
…CL configuration (drop on ingress/egress) on standby ToR Signed-off-by: Andriy Yurkiv <[email protected]>
ayurkiv-nvda
force-pushed
the
upstream_acl_ingress_master
branch
from
e2acc5f to
5b39055
Compare
Collaborator
|
@bingwang-ms @volodymyrsamotiy could you please help to review? |
bingwang-ms
reviewed
Feb 22, 2023
neethajohn
approved these changes
Feb 23, 2023
Collaborator
|
@bingwang-ms can you please review and approve? |
ayurkiv-nvda
added
Request for 202111 Branch
Request for 202211 Branch
and removed
Request for 202111 Branch
labels
bingwang-ms
approved these changes
Feb 27, 2023
StormLiangMS
pushed a commit
that referenced
this pull request
Mar 7, 2023
…CL configuration (drop on ingress/egress) on standby ToR (#2646) - What I did Use "mux_tunnel_ingress_acl" to set ACL rules on ingress/egress side depending on attribute value ("disabled/enabled"). - Why I did it We need to drop data-plane traffic and handle Control-plane traffic in the Dual-ToR scenario. But we can't do it on Mellanox platform and process traffic on ingress. To workaround it we can set ACL rules on egress ports, so will process control plane on ingress and drop Data-plane traffic that came from standby port on egress - How I verified it check "show mux status" on standby ToR - Mux status should be healthy. check "show what-just-happened" on standby ToR - no ICMP drop expected on standby ports. Signed-off-by: Andriy Yurkiv <[email protected]>
Contributor
|
@liat-grozovik Do we need this change in |
Janetxxx
pushed a commit
to Janetxxx/sonic-swss
that referenced
this pull request
Nov 10, 2025
…CL configuration (drop on ingress/egress) on standby ToR (sonic-net#2646) - What I did Use "mux_tunnel_ingress_acl" to set ACL rules on ingress/egress side depending on attribute value ("disabled/enabled"). - Why I did it We need to drop data-plane traffic and handle Control-plane traffic in the Dual-ToR scenario. But we can't do it on Mellanox platform and process traffic on ingress. To workaround it we can set ACL rules on egress ports, so will process control plane on ingress and drop Data-plane traffic that came from standby port on egress - How I verified it check "show mux status" on standby ToR - Mux status should be healthy. check "show what-just-happened" on standby ToR - no ICMP drop expected on standby ports. Signed-off-by: Andriy Yurkiv <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Andriy Yurkiv [email protected]
What I did
Use "mux_tunnel_ingress_acl" to set ACL rules on ingress/egress side depending on attribute value ("disabled/enabled").
Why I did it
We need to drop data-plane traffic and handle Control-plane traffic in the Dual-ToR scenario.
But we can't do it on Mellanox platform and process traffic on ingress.
To workaround it we can set ACL rules on egress ports, so will process control plane on ingress and drop Data-plane traffic that came from standby port on egress
How I verified it
check "show mux status" on standby ToR - Mux status should be healthy.
check "show what-just-happened" on standby ToR - no ICMP drop expected on standby ports.
Details if related