Continue to Site

Welcome to our site!

Electro Tech is an online community (with over 170,000 members) who enjoy talking about and building electronic circuits, projects and gadgets. To participate you need to register. Registration is free. Click here to register now.

  • Welcome to our site! Electro Tech is an online community (with over 170,000 members) who enjoy talking about and building electronic circuits, projects and gadgets. To participate you need to register. Registration is free. Click here to register now.

managed switch - Rule for filter based on mac address

Grossel

Well-Known Member
Hi.

The company I work for have bought some Hitachi 500NMD64 managed switches for a project. There is a star network consisting of 4 locations, where on the fourth location, the location itself are owned by another company. Because of this, my boss have asked me to put a mac filter on the switch (to one particular port) to ensure that only the device that is supposed to be connected on that port is able to communicate through the switch.

This is what I've done so far (extract from running-config). For the test, I'm using two laptops with known mac address and wifi turned off. The laptop that is supposed to communicate have mac address 10- . . . . . . -06, and each test are tested two times where the laptop connection is swapped. When no rules are set, the laptops can ping each other through the switch.


Test 1
access-list 1 permit-rule 1 mac destination not 10- . . . . . . -06
access-list 1 permit-rule 2 mac source not 10- . . . . . . -06
set switch port3 acl 1

Result: fail. All traffic seems to get through (both 10- . . . . . . -06 and other devices with different mac address)


Test 2
access-list 1 deny-rule 1 mac destination 10- . . . . . . -06
access-list 1 deny-rule 2 mac source 10- . . . . . . -06
set switch port3 acl 1

Result: fail. All traffic seems to get through (both 10- . . . . . . -06 and other devices with different mac address)


Test 3
access-list 1 deny-rule 1 mac destination not 10- . . . . . . -06
set switch port3 acl 1

Result: fail. This rule cause device with mac 10- . . . . . . -06 being blocked. Didn't test the other laptop so don't know if other devices get blocked as well.


Soo, here is the problem - due to schedule, I wasn't able to test more rules, but I do suspect that I'm starting to get closer after test 3.


Anybody having any experiences with those products that know how to set mac filtering rule to achieve the wanted behavior - only one device with a specific mac address are able to send traffic through that port on the switch ?
 

eTech

Well-Known Member
Hi.

The company I work for have bought some Hitachi 500NMD64 managed switches for a project. There is a star network consisting of 4 locations, where on the fourth location, the location itself are owned by another company. Because of this, my boss have asked me to put a mac filter on the switch (to one particular port) to ensure that only the device that is supposed to be connected on that port is able to communicate through the switch.

This is what I've done so far (extract from running-config). For the test, I'm using two laptops with known mac address and wifi turned off. The laptop that is supposed to communicate have mac address 10- . . . . . . -06, and each test are tested two times where the laptop connection is swapped. When no rules are set, the laptops can ping each other through the switch.


Test 1
access-list 1 permit-rule 1 mac destination not 10- . . . . . . -06
access-list 1 permit-rule 2 mac source not 10- . . . . . . -06
set switch port3 acl 1

Result: fail. All traffic seems to get through (both 10- . . . . . . -06 and other devices with different mac address)


Test 2
access-list 1 deny-rule 1 mac destination 10- . . . . . . -06
access-list 1 deny-rule 2 mac source 10- . . . . . . -06
set switch port3 acl 1

Result: fail. All traffic seems to get through (both 10- . . . . . . -06 and other devices with different mac address)


Test 3
access-list 1 deny-rule 1 mac destination not 10- . . . . . . -06
set switch port3 acl 1

Result: fail. This rule cause device with mac 10- . . . . . . -06 being blocked. Didn't test the other laptop so don't know if other devices get blocked as well.


Soo, here is the problem - due to schedule, I wasn't able to test more rules, but I do suspect that I'm starting to get closer after test 3.


Anybody having any experiences with those products that know how to set mac filtering rule to achieve the wanted behavior - only one device with a specific mac address are able to send traffic through that port on the switch ?

Hi
I've had alot of experience with cisco switches, not hitachi, but will give it a try.

This is what I came up with after RTFM, however, you should be physically near the switch in case the port is accidentally cutoff.

The valid device is mac aaa.bbb.ccc, connected to ethernet port 3 for the command below.
The following should deny all mac addresses unless the source or destination
mac is aaa.bbb.ccc

# determine the currently access lists assigned to port3
# Command:

show access-list
....
....

# remove exising access list(s) (replace {1-16} with specific acl number)
# Command:

clear switch port3 acl {1-16} in

# Command:

clear switch port3 acl {1-16} out

# verify exising access list(s) removed
# Command:

show access-list

# create access-list number 1 and deny rule 1 (assumes acl 1 is not already used)
# that denys all inbound mac traffic except aaa.bbb.ccc
# Command:

access-list 1 deny-rule 1 mac source not aaa.bbb.ccc

# create access-list number 2 and deny rule 1 (assumes acl 2 is not already used)
# that denys all outbound mac traffic except aaa.bbb.ccc
# Command:

access-list 2 deny-rule 1 mac destination not aaa.bbb.ccc

# apply access-list 1 to filter all inbound packets on port3
# except aaa.bbb.ccc
# Command:

set switch port 3 acl 1 in

# apply access-list 2 to filter all outbound packets on port3
# except aaa.bbb.ccc
# Command:

set switch port 3 acl 2 out

# verify access list(s) is applied
# Command:

show access-list
....
....
 

Grossel

Well-Known Member
Ok, yes thank you very much for this idea of split the rules and instead using 2 acl's, each with one rule. However I must test if it's possible to add more than one acl for each port.

In practice I have to wait at least 3 months in order to be able to test this, so If I'm not setting this thread to solved, that is why.
 

Latest threads

New Articles From Microcontroller Tips

Top