topic RE: ACL in EXOS in ExtremeSwitching (EXOS/Switch Engine)

ACL in EXOS

Tim_Smith1 — Tue, 22 May 2018 14:07:00 GMT

Hi expert,
I write an ACL and apply it to port 39 to deny all other traffic(only permit 2 host), but the deny not work. Could you please help to check the problem?

host1 ip 168.175.203.52
host1 mac D8:9D:67:F3:B3:2D
host2 ip 168.175.203.53

host2 mac 24:BE:05:E2:14:3B

Entry ipmac-52 {
If {
Source-address 168.175.203.52/32;
ethernet-source-address D8:9D:67:F3:B3:2D;
} then {
Permit;
Count syn;
}
}
Entry ipmac-53 {
If {
Source-address 168.175.203.53/32;
ethernet-source-address 24:BE:05:E2:14:3B;
} then {
Permit;
Count syn;
}
}
Entry ipmac-54 {
If { &n bsp;
Source-address 168.175.203.54/32;
ethernet-source-address 2C:41:38:4F:66:9B;
} then {
Permit;
Count syn;
}
}
Entry ipmac-55 {
&nb sp; If {
Source-address 168.175.203.55/32;
ethernet-source-address 24:BE:05:E2:00:F5;
} then {
Permit;
Count syn;
; }
}
Entry ipmac-56 {
If {
Source-address 168.175.203.56/32;
ethernet-source-address 00:19:B9:05:4A:E4;
} then {
Permit;
Count syn;
}
}

Entry default {
If {
source-address 0.0.0.0/0
} then {
Deny;
Count default;
}
}

configure access-list ipmac-fangfa ports 39 ingress

RE: ACL in EXOS

Paul_Thornton — Tue, 22 May 2018 15:32:00 GMT

Hi

I have seen problems in the past when using L2 and L3 in the same ACL.

Try just filtering MAC addresses, or IP addresses - but not both.

Paul.

RE: ACL in EXOS

Tim_Smith1 — Wed, 23 May 2018 18:25:00 GMT

Thanks Paul. But Extreme offical support to match all (both mac and ip), is it correct?

RE: ACL in EXOS

Tim_Smith1 — Thu, 24 May 2018 08:11:00 GMT

Is someone could help on this?

RE: ACL in EXOS

PeterK — Thu, 24 May 2018 16:41:00 GMT

are both devices behind Port 39 (with a miniswitch)?

RE: ACL in EXOS

Tim_Smith1 — Thu, 24 May 2018 16:41:00 GMT

yes, both device behind port 39 through an access switch

RE: ACL in EXOS

PeterK — Thu, 24 May 2018 16:41:00 GMT

read your answer and find the issue... 😉
traffic between 2 host on a miniswitch doesn't reach the xos switch... it's directly switched/forwardet on access/mini-switch and never reach the ACL on XOS-Switch

RE: ACL in EXOS

Tim_Smith1 — Thu, 24 May 2018 16:41:00 GMT

But I deny any at the end entry of the ACL. The traffic from 2 hosts should be deny at the end of the ACL.

Entry default {
If {
source-address 0.0.0.0/0
} then {
Deny;
Count default;
}
}

RE: ACL in EXOS

Sushruth_Sathya — Thu, 24 May 2018 16:41:00 GMT

Hi Tim,

As Peter had mentioned, if the traffic between the hosts do not reach the xos switch and are switched in the device connected to port 39, then the ACL would not work. Is this the case?

RE: ACL in EXOS

Paul_Thornton — Thu, 24 May 2018 18:22:00 GMT

I'm still confused why you are using both MAC addresses and IP addresses in this filter.

Does it work if you remove all of the ethernet-source-address lines?

Paul.

RE: ACL in EXOS

Tim_Smith1 — Thu, 24 May 2018 18:22:00 GMT

I just want to increase the network security because both IP and MAC could be change by user. Not sure is there some mistake for my idea.