Create ACL for specific ELRP vlan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-05-2016 12:08 PM
Hello,
We have configured a ELRP dedicated vlan and configure this vlan tagged on all ports.
We would like to secure this vlan to allow only EDP /ELRP packets.
Can anyone help with setting up an ACL which allows only EDP/ELRP packets?
We think the source MAC address which should be allowed is 00:E0:2B:00:00:01 (EDP)
Would this be correct:
vi ELRP-FILTER.pol
entry EDP-ELRP {if {
ethernet-source-address 00:e0:2b:00:00:01;
} then {
copy-cpu-and-drop;
}
}
entry DROPALL {
if {
} then {
deny;
}
}
configure access-list ELRP-FILTER vlan elrp_vlan ingress
Kind regards,
Frank van der Veen
We have configured a ELRP dedicated vlan and configure this vlan tagged on all ports.
We would like to secure this vlan to allow only EDP /ELRP packets.
Can anyone help with setting up an ACL which allows only EDP/ELRP packets?
We think the source MAC address which should be allowed is 00:E0:2B:00:00:01 (EDP)
Would this be correct:
vi ELRP-FILTER.pol
entry EDP-ELRP {if {
ethernet-source-address 00:e0:2b:00:00:01;
} then {
copy-cpu-and-drop;
}
}
entry DROPALL {
if {
} then {
deny;
}
}
configure access-list ELRP-FILTER vlan elrp_vlan ingress
Kind regards,
Frank van der Veen
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-12-2016 04:02 PM
Hi Frank, this rule should affect only EDP and not ELRP.
ELRP packets use the switch MAC for source and destination (for destination it's the switch MAC with the first bit = 1)
Do you want to block ARP packets as well?
Could you please confirm what are you trying to accomplish? Just allow ELRP and block everything else, including EDP and ARP?
Thanks
ELRP packets use the switch MAC for source and destination (for destination it's the switch MAC with the first bit = 1)
Do you want to block ARP packets as well?
Could you please confirm what are you trying to accomplish? Just allow ELRP and block everything else, including EDP and ARP?
Thanks
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎04-25-2019 06:27 AM
Hi Henrique.
I want to block ELRP packets on the ports towards my firewall. Would this ACL be doing this, or is something to be corrected here?
entry detect-elrp {
if {
# 00:04:96 = ELRP prefix
ethernet-destination-address 01:04:96:01:01:01 mask ff:ff:ff:00:00:00;
} then {
deny;
}
}
Thanks,
Flavio.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-12-2016 03:43 PM
Hello Henrique, Paul,
Thank you for helping.
We have created the following acl which seems to do the job in our lab so far:
entry EDP-ELRP {if {
ethernet-source-address 00:e0:2b:00:00:01;
} then {
copy-cpu-and-drop;
}
}
entry DROPALL {
if {
} then {
deny;
}
}
configure access-list ELRP-FILTER vlan elrp_vlan ingress
Frank
Thank you for helping.
We have created the following acl which seems to do the job in our lab so far:
entry EDP-ELRP {if {
ethernet-source-address 00:e0:2b:00:00:01;
} then {
copy-cpu-and-drop;
}
}
entry DROPALL {
if {
} then {
deny;
}
}
configure access-list ELRP-FILTER vlan elrp_vlan ingress
Frank
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Get Direct Link
- Report Inappropriate Content
‎12-05-2016 02:58 PM
Hello Frank
You could try creating a protocol based VLAN where it will only send packets that are the particular EtherType or SNAP.
I think EDP/ELRP is 0xaa but do a sniffer trace to make sure. Once you have that you can create protocol and then use that value.
See if that works
P
You could try creating a protocol based VLAN where it will only send packets that are the particular EtherType or SNAP.
I think EDP/ELRP is 0xaa but do a sniffer trace to make sure. Once you have that you can create protocol and then use that value.
See if that works
P
