Why the specific ARP packet is still filtered by MAC ACL on ECS4100 series even the rule permits source MAC of ARP packet ? Follow
Model:
ECS4100 series
Firmware version:
ECS4100 series V1.2.4.173
Simulation scenario:
1. Prepare two types of ARP packets.
A. The sender MAC address of ARP header is different from source MAC address of Ethernet header.

B. The sender MAC address of ARP header is the same as source MAC address of Ethernet header.

2. Configure MAC ACL to permit the source MAC address of ARP packet and deny other packets.
Console(config)#access-list mac test
Console(config-mac-acl)#permit host 0C-C4-7A-06-FB-11 any
Console(config-mac-acl)#deny any any
3. Apply this MAC ACL to ingress of port 1.
Console(config)#interface ethernet 1/1
Console(config-if)#mac access-group test in
4. Inject these two ARP packets to the port 1. Thus, the switch forwards B-ARP packet but filter A-ARP packet by MAC ACL.
Root Cause:
This is chipset behavior.
MAC ACL inspect sender MAC address of ARP header instead of source MAC address of Ethernet header for ARP packets.
Comments
0 comments
Please sign in to leave a comment.