Network Architecture & Design

Expand all | Collapse all

Create ACL for specific ELRP vlan

  • 1.  Create ACL for specific ELRP vlan

    Posted 12-05-2016 12:08
    Hello,

    We have configured a ELRP dedicated vlan and configure this vlan tagged on all ports.
    We would like to secure this vlan to allow only EDP /ELRP packets.
    Can anyone help with setting up an ACL which allows only EDP/ELRP packets?

    We think the source MAC address which should be allowed is 00:E0:2B:00:00:01 (EDP)

    Would this be correct:

    vi ELRP-FILTER.pol

    entry EDP-ELRP {if {
    ethernet-source-address 00:e0:2b:00:00:01;
    } then {
    copy-cpu-and-drop;
    }
    }


    entry DROPALL {
    if {
    } then {
    deny;
    }
    }

    configure access-list ELRP-FILTER vlan elrp_vlan ingress

    Kind regards,

    Frank van der Veen


  • 2.  RE: Create ACL for specific ELRP vlan

    Posted 12-05-2016 12:46
    Hi Frank, please see below an example for EDP, ELRP and a Deny_all rule:

    entry Allow_EDP { if {
    ethernet-source-address 00:e0:2b:00:00:01;
    ethernet-destination-address 00:e0:2b:00:00:00;
    } then {
    permit;
    count permit_EDP;
    }
    }
    entry Allow_ELRP {
    if {
    ethernet-source-address 00:04:96:01:01:01 mask ff:ff:ff:00:00:00;
    ethernet-destination-address 01:04:96:01:01:01 mask ff:ff:ff:00:00:00;
    } then {
    permit;
    count permit_ELRP;
    }
    }

    For deny_all rule, it also affects ARP packets. That means If you have to allow ARP packets into that vlan you should add a permit rule for "ethernet-type 0x0806".

    I would recommend you to try this rules in a lab first.


  • 3.  RE: Create ACL for specific ELRP vlan

    Posted 12-05-2016 14:58
    Hello Frank

    You could try creating a protocol based VLAN where it will only send packets that are the particular EtherType or SNAP.

    I think EDP/ELRP is 0xaa but do a sniffer trace to make sure. Once you have that you can create protocol and then use that value.

    See if that works

    P



  • 4.  RE: Create ACL for specific ELRP vlan

    Posted 12-12-2016 15:43
    Hello Henrique, Paul,

    Thank you for helping.

    We have created the following acl which seems to do the job in our lab so far:

    entry EDP-ELRP {if {
    ethernet-source-address 00:e0:2b:00:00:01;
    } then {
    copy-cpu-and-drop;
    }
    }


    entry DROPALL {
    if {
    } then {
    deny;
    }
    }

    configure access-list ELRP-FILTER vlan elrp_vlan ingress


    Frank


  • 5.  RE: Create ACL for specific ELRP vlan

    Posted 12-12-2016 16:02
    Hi Frank, this rule should affect only EDP and not ELRP.

    ELRP packets use the switch MAC for source and destination (for destination it's the switch MAC with the first bit = 1)

    Do you want to block ARP packets as well?

    Could you please confirm what are you trying to accomplish? Just allow ELRP and block everything else, including EDP and ARP?

    Thanks


  • 6.  RE: Create ACL for specific ELRP vlan

    Posted 04-25-2019 06:27


    Hi Henrique.
    I want to block ELRP packets on the ports towards my firewall. Would this ACL be doing this, or is something to be corrected here?

    entry detect-elrp {
    if {
    # 00:04:96 = ELRP prefix
    ethernet-destination-address 01:04:96:01:01:01 mask ff:ff:ff:00:00:00;
    } then {
    deny;
    }
    }

    Thanks,
    Flavio.