ACL for CobraNet traffic, Ethernet protocol identifier (0x8819)

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I work for an audio engineering company and thus have audio engineers constantly plugging the wrong things into the wrong ports and introducing various traffic to my network.  I'd like to put an ACL together to limit CobraNet traffic to one particular vlan only instead of having it constantly show up on desktop vlan(s).

The Ehternet Protocol Identifier is 0x8819, I just don't know how to write an ACL using that information to catch the traffic.
Photo of Ron Prague

Ron Prague

  • 742 Points 500 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of JS

JS, Employee

  • 630 Points 500 badge 2x thumb

Hello Ron,

 

You would have two ways to implement this :

If you use “dynamic ACL” [assuming you want to deny it on a “desktop” vlan] , what you could do is

# create the ACL rule

create access-list Cobranet-deny "ethernet-type 0x8819;" "count cobranet-pkt; deny;"

#for each desktop vlan

configure access-list add "Cobranet-deny" first vlan "Desktop" ingress

 

X670-48x.8 # sh access-list dynamic rule "Cobranet-deny"

entry Cobranet-deny {

if match all {

    ethernet-type 0x8819 ;

} then {

    count cobranet-pkt ;

    deny  ;

} }

 

X670-48x.9 # sh access-list dynamic counter

 Vlan Name        Port   Direction 

    Counter Name                   Packet Count         Byte Count          

==================================================================

*                *      ingress  

    cobranet-pkt                   0

 

 

If you use a policy file, the ACL would probably look like this 

 

# create a policy file

X670-48x.17 # edit policy cobranet

# edit policy cobranet

entry Cobranet {

if {

ethernet-type 0x8819;

} then {

deny ;

count cobranet;

}

}

 

# apply the policy file to a vlan

X670-48x.14 # configure access-list cobranet vlan default

X670-48x.15 # show access-list

Vlan Name    Port   Policy Name          Dir      Rules  Dyn Rules

===================================================================

Default      *      cobranet             ingress  1      1      

 

X670-48x.16 # show access-list counter

Policy Name       Vlan Name        Port   Direction 

    Counter Name                   Packet Count         Byte Count          

==================================================================

cobranet          Default          *      ingress  

    cobranet                       0

 

 

There is a good document around ACL : https://www.extremenetworks.com/wp-content/uploads/2014/10/ACL_Solutions_Guide.pdf

 

 

 

Photo of Brandon Clay

Brandon Clay, Escalation Support Engineer

  • 13,304 Points 10k badge 2x thumb
Hi Ron, 

I may be misunderstanding your question, but you can actually put all CobraNet traffic into one VLAN, regardless of the port.

EXOS will allow you to configure two untagged VLANs on a port, assuming at least one has a protocol filter set up. In this case, we can create a protocol filter to match CobraNet, then create a CobraNet VLAN and add all ports untagged. Then, all CobraNet traffic will get put into this VLAN, while all other traffic will go into the other untagged VLAN. An example config is below:

create protocol cobranet
configure protocol filter cobranet add etype 0x8819
create vlan cobra
create vlan other_traffic
configure vlan cobra protocol cobranet
configure vlan cobra add port all untagged
configure vlan other_traffic add port all untagged

Let me know if you have any questions.

-Brandon
(Edited)
Photo of Drew C.

Drew C., Community Manager

  • 39,376 Points 20k badge 2x thumb
Hi Ron, were you able to get this working with JS or Brandon's suggestions?
Photo of Ron Prague

Ron Prague

  • 742 Points 500 badge 2x thumb
Worked perfectly with JS' suggestion, should have commented on that :)
Photo of Drew C.

Drew C., Community Manager

  • 39,376 Points 20k badge 2x thumb
Awesome!