This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Create ACL for specific ELRP vlan

Create ACL for specific ELRP vlan

Frank_Veen
New Contributor II

‎12-05-2016 12:08 PM

Hello,

We have configured a ELRP dedicated vlan and configure this vlan tagged on all ports.
We would like to secure this vlan to allow only EDP /ELRP packets.
Can anyone help with setting up an ACL which allows only EDP/ELRP packets?

We think the source MAC address which should be allowed is 00:E0:2B:00:00:01 (EDP)

Would this be correct:

vi ELRP-FILTER.pol

entry EDP-ELRP {if {
ethernet-source-address 00:e0:2b:00:00:01;
} then {
copy-cpu-and-drop;
}
}


entry DROPALL {
if {
} then {
deny;
}
}

configure access-list ELRP-FILTER vlan elrp_vlan ingress

Kind regards,

Frank van der Veen
0 Kudos
5 REPLIES 5

Henrique
Extreme Employee

‎12-05-2016 12:46 PM

Hi Frank, please see below an example for EDP, ELRP and a Deny_all rule:

entry Allow_EDP { if {
ethernet-source-address 00:e0:2b:00:00:01;
ethernet-destination-address 00:e0:2b:00:00:00;
} then {
permit;
count permit_EDP;
}
}
entry Allow_ELRP {
if {
ethernet-source-address 00:04:96:01:01:01 mask ff:ff:ff:00:00:00;
ethernet-destination-address 01:04:96:01:01:01 mask ff:ff:ff:00:00:00;
} then {
permit;
count permit_ELRP;
}
}

For deny_all rule, it also affects ARP packets. That means If you have to allow ARP packets into that vlan you should add a permit rule for "ethernet-type 0x0806".

I would recommend you to try this rules in a lab first.
0 Kudos
li.common.scroll-to.top
GTM-P2G8KFN