Create ACL for specific ELRP vlan

  • 1
  • 1
  • Question
  • Updated 2 years ago
  • Answered
  • (Edited)
Hello,

We have configured a ELRP dedicated vlan and configure this vlan tagged on all ports.
We would like to secure this vlan to allow only EDP /ELRP packets.
Can anyone help with setting up an ACL which allows only EDP/ELRP packets?

We think the source MAC address which should be allowed is 00:E0:2B:00:00:01 (EDP)


Would this be correct:

vi ELRP-FILTER.pol


entry EDP-ELRP {if {
ethernet-source-address 00:e0:2b:00:00:01;
} then {
copy-cpu-and-drop;
}
}
 
 
entry DROPALL {
if {
} then {
deny;
}
}
 
configure access-list ELRP-FILTER vlan elrp_vlan ingress



Kind regards,

Frank van der Veen
Photo of Frank Veen

Frank Veen

  • 492 Points 250 badge 2x thumb
  • happy

Posted 2 years ago

  • 1
  • 1
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Frank, please see below an example for EDP, ELRP and a Deny_all rule:

entry Allow_EDP { if {
          ethernet-source-address 00:e0:2b:00:00:01;
          ethernet-destination-address 00:e0:2b:00:00:00;
    } then {
          permit;
          count permit_EDP;
       }
}
entry Allow_ELRP {
if {
          ethernet-source-address 00:04:96:01:01:01 mask ff:ff:ff:00:00:00;
          ethernet-destination-address 01:04:96:01:01:01 mask ff:ff:ff:00:00:00;
     } then {
          permit;
          count permit_ELRP;
       }
}

For deny_all rule, it also affects ARP packets. That means If you have to allow ARP packets into that vlan you should add a permit rule for "ethernet-type 0x0806".

I would recommend you to try this rules in a lab first.
Photo of Paul Russo

Paul Russo, Alum

  • 9,694 Points 5k badge 2x thumb
Hello Frank

You could try creating a protocol based VLAN where it will only send packets that are the particular EtherType or SNAP.

I think EDP/ELRP is 0xaa but do a sniffer trace to make sure.  Once you have that you can create protocol and then use that value.

See if that works

P
Photo of Frank Veen

Frank Veen

  • 492 Points 250 badge 2x thumb
Hello Henrique, Paul,

Thank you for helping.

We have created the following acl which seems to do the job in our lab so far:



entry EDP-ELRP {if {
ethernet-source-address 00:e0:2b:00:00:01;
} then {
copy-cpu-and-drop;
}
}
 
 
entry DROPALL {
if {
} then {
deny;
}
}
 
configure access-list ELRP-FILTER vlan elrp_vlan ingress
 













Frank
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi Frank, this rule should affect only EDP and not ELRP. 

ELRP packets use the switch MAC for source and destination (for destination it's the switch MAC with the first bit = 1) 

Do you want to block ARP packets as well? 

Could you please confirm what are you trying to accomplish? Just allow ELRP and block everything else, including EDP and ARP?

Thanks