MAC address ACL


Userlevel 1
Hello,

I am designing a MAC address ACL which protect host with KNOW mac address plug into the switch.

Could you please advise does following ebtables config is correct or not?

e.g. Only allow host with MAC address 00:00:aa🇧🇧cc:12 to access in/out

--------------------
cat /etc/cumulus/acl/policy.d/swp1macacl.rule

[ebtables]
-A FORWARD -i swp1 -s 00:00:aa🇧🇧cc:12 -d any -j ACCEPT
-A FORWARD -i swp1 -j DROP
--------------------

command to deploy:

sudo cl-acltool -i -P /etc/cumulus/acl/policy.d/swp1macacl.rule

Thanks!

6 replies

Userlevel 5
I don't have time to test it at the moment but it looks correct at first blush. I generally recommend applying all rules via the generic "cl-acltool -i" logic because the technique above is not additive IIRC.
Userlevel 1
Hello,

Recently just do deployment test but it looks not work.

Following is output

=====
Processing rules in file /etc/cumulus/acl/policy.d/macacl.rules ...Installing acl policy
error: cmd '/sbin/ebtables --atomic-file /tmp/.acl.26411/ebtables.restore.filter -A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -d any -j ACCEPT
' failed with the following error:
(Problem with specified destination mac 'any'.)
Rolling back ..
failed.
======

and acl rule

===
[ebtables]
-A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -d any -j ACCEPT
-A FORWARD -i swp34 -j DROP
====

How can I fix it?

Thanks!
Userlevel 3
Just remove the "-d any" from the entry. If the destination is not defined, "any" is assumed.
Userlevel 1
Hello,

It can be deploy after remove -d any. But it is not function as need.

I would like to config the ACL is only allow the host in/out with MAC address 00:c4:7a:54:a4:77 which connected to swp34?

Thanks!
Userlevel 3
Please describe what is not working. Is it working in one direction? Sounds like you are trying to do the equivalent of port-security. I would need to test this, but I expect to only allow forwarding to/from a specific MAC, you would specify the following rules:
[ebtables]
-A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -j ACCEPT
-A FORWARD -i swp34 -j DROP
-A FORWARD -o swp34 -d 00:c4:7a:54:a4:77 -j ACCEPT
-A FORWARD -o swp34 -j DROP
Userlevel 1
Hello,

Recently tested again but still have problem to deploy.

My purpose is the host with MAC address "00:c4:7a:54:a4:77" with connected to port swp34 is allow in/out. If another different MAC address will deny.

If I apply like following:
[ebtables]
-A FORWARD -i swp34 -s 00:aa:bb🇨🇨dd:ee -j ACCEPT
-A FORWARD -i swp34 -j DROP

suppose the host connected to swp34 is not able to access in/out.
But the result is same able to access.

If I apply like following

[ebtables]
-A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -j ACCEPT
-A FORWARD -i swp34 -j DROP
-A FORWARD -o swp34 -d 00:c4:7a:54:a4:77 -j ACCEPT
-A FORWARD -o swp34 -j DROP

The result is host swp34 is not able to access, but I expected host connected to swp34 should be allow in/out

Could you please check and advise?

Thanks!

Reply