Layer 2 ACL

Created: Nov 17, 2019 04:00:45Latest reply: Nov 18, 2019 02:26:53 137 4 0 0
  Rewarded Hi-coins: 5 (problem resolved)

Hi Experts,


I have several access switches connected to a central destribution switch. SVI is configured in destribution switch. Now, I want to configure layer 2 acl on access switch, so that the source mac only have access to 8.8.8.8 and other services will be dropped.


Software Version V200R011C10SPC600


Here is the configuration I have done:

acl number 4070

     rule 10 permit source-mac 4889-e79c-54e1

acl number 3070

     rule 10 permit ip destination 8.8.8.8 0.0.0.0

     rule 30 deny ip

traffic-filter inbound acl 4070 acl 3070

##############################

But the problem is all traffic is dropping for that source MAC. Also shared the simplified configuration of switch (excluding the new config)


Note: In destribution switch more than 70 vlan is created. So I had to apply ACL globally rather than specifing under vlan interface.






  • x
  • convention:

Featured Answers
chenhui
Admin Created Nov 18, 2019 02:26:53 Helpful(0) Helpful(0)

@BRACNet hello,
when layer 2 and layer 3 ACL configured simultaneously, the matching logic for them is or, not and. So as you configured, the traffic with source-mac 4889-e79c-54e1 or the destination address 8.8.8.8 will be passed through.

By the way, there is another error in your configuration.
acl number 3070
rule 10 permit ip destination 8.8.8.8 0.0.0.0
rule 30 deny ip
the acl 3070 only allow the traffic to the 8.8.8.8, and it configured in the system-view, in which situation the return traffic from the host 8.8.8.8 will blocked by the switch.
  • x
  • convention:

All Answers
Popeye_Wang
Popeye_Wang Admin Created Nov 17, 2019 05:21:17 Helpful(0) Helpful(0)

Hi
If ACL3070 is cancelled, does this policy work?
  • x
  • convention:

BRACNet
BRACNet Created Nov 17, 2019 09:52:04
No, it does not work. As the main condition is under ACL 3070. I want the host machine can only ping to 8.8.8.8 other will be dropped  
E.DR_91
E.DR_91 MVE Created Nov 17, 2019 13:00:53 Helpful(0) Helpful(0)

  • x
  • convention:

I%20am%20an%20information%20Technology%20Engineer%3B%20I%20work%20as%20Head%20of%20section%20in%20Management%20Information%20System%20with%20over%20five%20years%20of%20experience%20specializing%20in%20Software%20Testing.%20I%20am%20looking%20forward%20to%20growing%20my%20management%20skills%20to%20develop%20and%20inspire%20my%20team%20and%20I%20am%20a%20MVE%20in%20this%20forum
chenhui
chenhui Admin Created Nov 18, 2019 02:26:53 Helpful(0) Helpful(0)

@BRACNet hello,
when layer 2 and layer 3 ACL configured simultaneously, the matching logic for them is or, not and. So as you configured, the traffic with source-mac 4889-e79c-54e1 or the destination address 8.8.8.8 will be passed through.

By the way, there is another error in your configuration.
acl number 3070
rule 10 permit ip destination 8.8.8.8 0.0.0.0
rule 30 deny ip
the acl 3070 only allow the traffic to the 8.8.8.8, and it configured in the system-view, in which situation the return traffic from the host 8.8.8.8 will blocked by the switch.
  • x
  • convention:

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login