Creating an ACL for an interface on a Brocade MLX

I need to create a ACL for an interface on a Brocade MLX.  I only need to deny traffic from a single host but this is turning out to be more challenging than I thought.

I created the following access list....

access-list 2 deny host aaa.bbb.ccc.ddd
access-list 2 permit any

The interface I would like to apply this access list to is not a physical interface.  It is a virtual interface for a VLAN.  when I enter this command at the config config prompt...

Brocade(config-vif-2265)#ip access-group 2 in

I get an error telling me that the access list can not be applied to the interface because QOS is configured on this port.

I have been digging around in my Brocade documentation and I can't locate a workaround for this problem.  I really need to block this host.  Is there a way to use a ACL even if there is QOS on this port?
KGaudineer-Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

harbor235Commented:
Is it a port or a RVI?

harbor235 ;}
harbor235Commented:
Looks like there are restrictions on how the ACL is entered, try removing the QOS, add acl then add back the qos?

harbor235 ;}
KGaudineer-Author Commented:
That doesn't work.  I can remove the QOS and add the access list but when I try to add the QOS back in I get an error telling me that there is a L4 ACL on this interface and QOS can not be applied.

I have tried with a standard ACL and an extended ACL still can't get the ACL applied if the interface has QOS.  I am confused on why this is a problem for access lists....
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

harbor235Commented:
Are you applying the filter to a port or the RVI?


harbor235 ;}
harbor235Commented:
Can you post your RVI config?


harbor235 ;}
harbor235Commented:
From the MLX user guide:

"Once you configure an ACL-based rate limiting policy on a port, you cannot configure a regular (traffic
filtering) ACL on the same port. To filter traffic, you must enable the strict ACL option."

http://www.brocade.com/downloads/documents/product_manuals/B_NetIron/NetIron_05600_TrafficMgmtGuide.pdf

harbor235 ;}
KGaudineer-Author Commented:
Thank you for the link.  After reading through it and working with other doc’s from Google searches I believe the answer to my question is…

IT CAN’T BE DONE… (IS NOT SUPPORTED)

Here’s why I think that is the answer…  When QOS is applied to the an interface (either virtual or physical) the QOS is taking space in C.A.M. (Content Access Memory) which is L4.  A standard or extended ACL is l2 or l3 and will also need C.A.M. space to function properly.  Since I have QOS L4 already in CAM nothing lower than L4 will work, additionally it looks as if only one filter can exist in C.A.M.  So if QOS is in C.A.M. an ACL filter can not exist at the same time.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
frankhelkCommented:
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I have recommended this question be closed as follows:

Accept: KGaudineer- (https:#a40713640)

If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.

frankhelk
Experts-Exchange Cleanup Volunteer
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking Hardware-Other

From novice to tech pro — start learning today.