ACL for CobraNet traffic, Ethernet protocol identifier (0x8819)


Userlevel 2
I work for an audio engineering company and thus have audio engineers constantly plugging the wrong things into the wrong ports and introducing various traffic to my network. I'd like to put an ACL together to limit CobraNet traffic to one particular vlan only instead of having it constantly show up on desktop vlan(s).

The Ehternet Protocol Identifier is 0x8819, I just don't know how to write an ACL using that information to catch the traffic.

5 replies

Userlevel 3
Hello Ron,



You would have two ways to implement this :

If you use “dynamic ACL” [assuming you want to deny it on a “desktop” vlan] , what you could do is

# create the ACL rule

create access-list Cobranet-deny "ethernet-type 0x8819;" "count cobranet-pkt; deny;"

#for each desktop vlan

configure access-list add "Cobranet-deny" first vlan "Desktop" ingress



X670-48x.8 # sh access-list dynamic rule "Cobranet-deny"

entry Cobranet-deny {

if match all {

ethernet-type 0x8819 ;

} then {

count cobranet-pkt ;

deny ;

} }



X670-48x.9 # sh access-list dynamic counter

Vlan Name Port Direction

Counter Name Packet Count Byte Count

==================================================================

* * ingress

cobranet-pkt 0





If you use a policy file, the ACL would probably look like this



# create a policy file

X670-48x.17 # edit policy cobranet

# edit policy cobranet

entry Cobranet {

if {

ethernet-type 0x8819;

} then {

deny ;

count cobranet;

}

}



# apply the policy file to a vlan

X670-48x.14 # configure access-list cobranet vlan default

X670-48x.15 # show access-list

Vlan Name Port Policy Name Dir Rules Dyn Rules

===================================================================

Default * cobranet ingress 1 1



X670-48x.16 # show access-list counter

Policy Name Vlan Name Port Direction

Counter Name Packet Count Byte Count

==================================================================

cobranet Default * ingress

cobranet 0





There is a good document around ACL : https://www.extremenetworks.com/wp-content/uploads/2014/10/ACL_Solutions_Guide.pdf
Userlevel 7
Hi Ron,

I may be misunderstanding your question, but you can actually put all CobraNet traffic into one VLAN, regardless of the port.

EXOS will allow you to configure two untagged VLANs on a port, assuming at least one has a protocol filter set up. In this case, we can create a protocol filter to match CobraNet, then create a CobraNet VLAN and add all ports untagged. Then, all CobraNet traffic will get put into this VLAN, while all other traffic will go into the other untagged VLAN. An example config is below:

create protocol cobranet configure protocol filter cobranet add etype 0x8819 create vlan cobra create vlan other_traffic configure vlan cobra protocol cobranet configure vlan cobra add port all untagged configure vlan other_traffic add port all untagged[/code]
Let me know if you have any questions.

-Brandon
Userlevel 7
Hi Ron, were you able to get this working with JS or Brandon's suggestions?
Userlevel 2
Worked perfectly with JS' suggestion, should have commented on that 🙂
Userlevel 7
Ron Prague wrote:

Worked perfectly with JS' suggestion, should have commented on that :)

Awesome!

Reply