MAC address ACL

  • 18 April 2017
  • 5 replies
  • 452 views

Userlevel 1
Hello,

I am designing a MAC address ACL which protect host with KNOW mac address plug into the switch.

Could you please advise does following ebtables config is correct or not?

e.g. Only allow host with MAC address 00:00:aa🇧🇧cc:12 to access in/out

--------------------
cat /etc/cumulus/acl/policy.d/swp1macacl.rule

[ebtables]
-A FORWARD -i swp1 -s 00:00:aa🇧🇧cc:12 -d any -j ACCEPT
-A FORWARD -i swp1 -j DROP
--------------------

command to deploy:

sudo cl-acltool -i -P /etc/cumulus/acl/policy.d/swp1macacl.rule

Thanks!

5 replies

Userlevel 3
Please describe what is not working. Is it working in one direction? Sounds like you are trying to do the equivalent of port-security. I would need to test this, but I expect to only allow forwarding to/from a specific MAC, you would specify the following rules:
[ebtables]
-A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -j ACCEPT
-A FORWARD -i swp34 -j DROP
-A FORWARD -o swp34 -d 00:c4:7a:54:a4:77 -j ACCEPT
-A FORWARD -o swp34 -j DROP
Userlevel 5
I don't have time to test it at the moment but it looks correct at first blush. I generally recommend applying all rules via the generic "cl-acltool -i" logic because the technique above is not additive IIRC.
Userlevel 3
Just remove the "-d any" from the entry. If the destination is not defined, "any" is assumed.
Userlevel 1
Hello,

Recently just do deployment test but it looks not work.

Following is output

=====
Processing rules in file /etc/cumulus/acl/policy.d/macacl.rules ...Installing acl policy
error: cmd '/sbin/ebtables --atomic-file /tmp/.acl.26411/ebtables.restore.filter -A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -d any -j ACCEPT
' failed with the following error:
(Problem with specified destination mac 'any'.)
Rolling back ..
failed.
======

and acl rule

===
[ebtables]
-A FORWARD -i swp34 -s 00:c4:7a:54:a4:77 -d any -j ACCEPT
-A FORWARD -i swp34 -j DROP
====

How can I fix it?

Thanks!
Userlevel 1
Hello,

It can be deploy after remove -d any. But it is not function as need.

I would like to config the ACL is only allow the host in/out with MAC address 00:c4:7a:54:a4:77 which connected to swp34?

Thanks!

Reply