MAC address ACL


Userlevel 1
Hello,

I am designing a MAC address ACL which protect host with KNOW mac address plug into the switch.

Could you please advise does following ebtables config is correct or not?

e.g. Only allow host with MAC address 00:00:aa🇧🇧cc:12 to access in/out

--------------------
cat /etc/cumulus/acl/policy.d/swp1macacl.rule

[ebtables]
-A FORWARD -i swp1 -s 00:00:aa🇧🇧cc:12 -d any -j ACCEPT
-A FORWARD -i swp1 -j DROP
--------------------

command to deploy:

sudo cl-acltool -i -P /etc/cumulus/acl/policy.d/swp1macacl.rule

Thanks!

5 replies

Userlevel 4
I don't have time to test it at the moment but it looks correct at first blush. I generally recommend applying all rules via the generic "cl-acltool -i" logic because the technique above is not additive IIRC.
Userlevel 1
Hello,

Recently just do deployment test but it looks not work.

Following is output

=====
Processing rules in file /etc/cumulus/acl/policy.d/macacl.rules ...Installing acl policy
error: cmd '/sbin/ebtables --atomic-file /tmp/.acl.26411/ebtables.restore.filter -A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -d any -j ACCEPT
' failed with the following error:
(Problem with specified destination mac 'any'.)
Rolling back ..
failed.
======

and acl rule

===
[ebtables]
-A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -d any -j ACCEPT
-A FORWARD -i swp34 -j DROP
====

How can I fix it?

Thanks!

Userlevel 3
Just remove the "-d any" from the entry. If the destination is not defined, "any" is assumed.
Userlevel 1
Hello,

It can be deploy after remove -d any. But it is not function as need.

I would like to config the ACL is only allow the host in/out with MAC address 00:c4:7a:54:a4:77 which connected to swp34?

Thanks!

Userlevel 3
Please describe what is not working. Is it working in one direction? Sounds like you are trying to do the equivalent of port-security. I would need to test this, but I expect to only allow forwarding to/from a specific MAC, you would specify the following rules:
[ebtables]
-A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -j ACCEPT
-A FORWARD -i swp34 -j DROP
-A FORWARD -o swp34 -d 00:c4:7a:54:a4:77 -j ACCEPT
-A FORWARD -o swp34 -j DROP

Reply