EtherType 0x0030

  • 0
  • 1
  • Question
  • Updated 2 years ago
  • Answered
I am implementing a tight ACL policy for our storage (NFS) VLAN.
Basically the idea is to allow only needed stuff, and block the rest.

The last drop rule matches EtherType: 0x0030 frames.
What are those? Seems something XOS related.
Photo of vobelic

vobelic

  • 362 Points 250 badge 2x thumb

Posted 2 years ago

  • 0
  • 1
Photo of Jolyon Ansuz

Jolyon Ansuz

  • 82 Points 75 badge 2x thumb
Photo of Alexandr P

Alexandr P, Embassador

  • 12,008 Points 10k badge 2x thumb
Hello!

Where and how you can see that this packets Ethertype 0x0030?

Thank you!
Photo of vobelic

vobelic

  • 362 Points 250 badge 2x thumb
Just figured out that those frames are actually ELRP configured on sw2.
Now my question is, how to allow elrp and edp frames using ACL?

My setup, two switches connected:

sw1 (x670-48x stacked on 16.1.3.6 patch1-9 with ACL applied on vlan 3226)
and
sw2 (X480-48t on 15.3.1.4 patch1-7)

I've enabled only certain addresses and protocols and finally added at last a drop_all rule on sw1

entry drop_all {     
        if {
        }                                           
        then {              
        count denied-non_nfs;        
        mirror-cpu;
        log;   
        deny;         
        }
}

configure access-list storage_nfs vlan "VLAN_3226-STORAGE_NET1_168_226" ingress


Basically logs on sw1 show:
09/21/2016 10:20:12.94 <Info:Kern.Card.Info> Slot-1: 00:04:96:xx:xx:xx -> 01:04:96:xx:xx:xx EtherType: 0x0030
09/21/2016 10:20:12.94 <Info:Kern.Card.Info> Slot-1: 66-byte packet from 1:43 (vlanId=3226) matches rule drop_all

the 00:04:96:xx:xx:xx mac is switch sw2.
(Edited)
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
Hi,

I'm not quite sure that etype 0x0030 is related to ELRP even if listed in the access-list.

I would try the following permit rules for EDP and ELRP:

entry Allow_EDP {
if {
          ethernet-source-address 00:e0:2b:00:00:01;
          ethernet-destination-address 00:e0:2b:00:00:00;
    } then {
          permit;
          count permit_EDP;
       }
}
entry Allow_ELRP {
if {
          ethernet-source-address 00:04:96:01:01:01 mask ff:ff:ff:00:00:00;
          ethernet-destination-address 01:04:96:01:01:01 mask ff:ff:ff:00:00:00;
     } then {
          permit;
          count permit_ELRP;
       }
}

Also, you can try with "ethernet-type 0x0030" to the ELRP rule, but I don't think this will work.

Let us know if that works for you.
Photo of vobelic

vobelic

  • 362 Points 250 badge 2x thumb
I'll try this when i find some spare time.

And it's definitely ELRP, as there are no more entries on sw1 when I disable ELRP on sw2.
Why is it seeing ethertype 0x0030 is another thing...
Photo of Henrique

Henrique, Employee

  • 10,302 Points 10k badge 2x thumb
I have made a quick test creating an ACL to count etype 0x0030 for ELRP enabled uplinks and didn't see any increment.

That's interesting...
Photo of Grosjean, Stephane

Grosjean, Stephane, Employee

  • 12,552 Points 10k badge 2x thumb
Hi,

after some digging, here's the explanation:

For ELRP, if the VLAN is tagged, the EtherType is 0x8100.    

If the VLAN is untagged, the 16-bit VLAN header portion is stripped and 0x0030 shows up where EtherType would have been. However, 0x0030 is really the data length, not EtherType.