ACL in EXOS

  • 0
  • 1
  • Question
  • Updated 3 months ago
  • Answered
  • (Edited)
Hi expert,
I write an ACL and apply it to port 39 to deny all other traffic(only permit 2 host), but the deny not work. Could you please help to check the problem?

host1 ip 168.175.203.52
host1 mac D8:9D:67:F3:B3:2D

host2 ip 168.175.203.53

host2 mac 24:BE:05:E2:14:3B

Entry ipmac-52        {
        If      {                                    
                        Source-address 168.175.203.52/32;
                        ethernet-source-address D8:9D:67:F3:B3:2D;
        } then  {
                        Permit;
                        Count syn;      
        }
}
Entry ipmac-53        {
        If      {                                
  Source-address 168.175.203.53/32;
  ethernet-source-address 24:BE:05:E2:14:3B;
        } then  {
                        Permit;
                        Count syn;      
        }
}
Entry ipmac-54        {
        If      {          &n bsp;                         
  Source-address 168.175.203.54/32;
                        ethernet-source-address 2C:41:38:4F:66:9B;
        } then  {
                        Permit;
                        Count syn;      
        }
}
Entry ipmac-55        {
 &nb sp;      If      {                                    
  Source-address 168.175.203.55/32;
                        ethernet-source-address 24:BE:05:E2:00:F5;
        } then  {
                        Permit;
                        Count syn;      
  ;       }
}
Entry ipmac-56        {
        If      {                                    
  Source-address 168.175.203.56/32;
  ethernet-source-address 00:19:B9:05:4A:E4;
        } then  {
                        Permit;
                         Count syn;      
        }
}

Entry default   {
        If      {
                        source-address 0.0.0.0/0          
        } then  {
                        Deny;
                        Count default;
                }
}

configure access-list ipmac-fangfa ports 39 ingress
Photo of Tim Smith

Tim Smith

  • 224 Points 100 badge 2x thumb

Posted 3 months ago

  • 0
  • 1
Photo of Paul Thornton

Paul Thornton

  • 1,424 Points 1k badge 2x thumb
Hi

I have seen problems in the past when using L2 and L3 in the same ACL.

Try just filtering MAC addresses, or IP addresses - but not both.

Paul.
Photo of Tim Smith

Tim Smith

  • 224 Points 100 badge 2x thumb
Thanks Paul. But Extreme offical support to match all (both mac and ip), is it correct?
Photo of Tim Smith

Tim Smith

  • 224 Points 100 badge 2x thumb
Is someone could help on this?
Photo of Peter

Peter

  • 958 Points 500 badge 2x thumb
are both devices behind Port 39 (with a miniswitch)?
Photo of Tim Smith

Tim Smith

  • 224 Points 100 badge 2x thumb
yes, both device behind port 39 through an access switch
Photo of Peter

Peter

  • 958 Points 500 badge 2x thumb
read your answer and find the issue... ;-)
traffic between 2 host on a miniswitch doesn't reach the xos switch... it's directly switched/forwardet on access/mini-switch and never reach the ACL on XOS-Switch
Photo of Tim Smith

Tim Smith

  • 224 Points 100 badge 2x thumb
But I deny any at the end entry of the ACL. The traffic from 2 hosts should be deny at the end of the ACL.

Entry default   {
        If      {
                        source-address 0.0.0.0/0          
        } then  {
                        Deny;
                        Count default;
                }
}
Photo of Sushruth Sathyamurthy

Sushruth Sathyamurthy, Employee

  • 784 Points 500 badge 2x thumb
Hi Tim,

As Peter had mentioned, if the traffic between the hosts do not reach the xos switch and are switched in the device connected to port 39, then the ACL would not work. Is this the case?
Photo of Paul Thornton

Paul Thornton

  • 1,424 Points 1k badge 2x thumb
I'm still confused why you are using both MAC addresses and IP addresses in this filter.

Does it work if you remove all of the ethernet-source-address lines?

Paul.
Photo of Tim Smith

Tim Smith

  • 224 Points 100 badge 2x thumb
I just want to increase the network security because both IP and MAC could be change by user. Not sure is there some mistake for my idea.