Why the specific ARP packet is still filtered by MAC ACL on ECS4100 series even the rule permits source MAC of ARP packet ? – Edgecore Help Center

Model:

ECS4100 series

Firmware version:

ECS4100 series V1.2.4.173

Simulation scenario:

1. Prepare two types of ARP packets.

A. The sender MAC address of ARP header is different from source MAC address of Ethernet header.

B. The sender MAC address of ARP header is the same as source MAC address of Ethernet header.

2. Configure MAC ACL to permit the source MAC address of ARP packet and deny other packets.

Console(config)#access-list mac test
Console(config-mac-acl)#permit host 0C-C4-7A-06-FB-11 any
Console(config-mac-acl)#deny any any

3. Apply this MAC ACL to ingress of port 1.

Console(config)#interface ethernet 1/1
Console(config-if)#mac access-group test in

4. Inject these two ARP packets to the port 1. Thus, the switch forwards B-ARP packet but filter A-ARP packet by MAC ACL.

Root Cause:

This is chipset behavior.

MAC ACL inspect sender MAC address of ARP header instead of source MAC address of Ethernet header for ARP packets.

Why the specific ARP packet is still filtered by MAC ACL on ECS4100 series even the rule permits source MAC of ARP packet ? Follow