Hi everyone
I have a very large LAN that I need to "filter".
I'll explain:
at some point on my LAN I installed a CRS1128G. this device has two cables connected, one to the entire network, on eth1, and one to the part of the LAN to be filtered, on sfp9.
all devices are on the same subnet
what kind of approach would you use to allow only a pool of IPs (or macs) to transit from sfp9 to eth1? (obviously I created the pool).
if I put the physical interfaces in a bridge, I can't create a bridge-filter that works, all the devices continue to communicate
thanks in advance
Re: filtering big local lan
Since both ports connect devices in same subnet, they clearly have to be in same bridge.
But: simple bridge (no VLANs, etc.) is by default offloaded to hardware so bridge filters can't catch traffic (bridge is executed by CPU, HW offloaded traffic never leaves switch chip). There are two options: 1) disable HW offload on one of two ports or 2) use switch chip menu to construct ACLs. I really wouldn't recommend option #1, it would hurt performance a lot.
You mentioned CRS model that doesn't exist (CRS1128G ... I'll assume we're talking about CRS112-8G-4S-IN), so have a look at ACL section of manual of CRS1xx/2xx series switches.
But: simple bridge (no VLANs, etc.) is by default offloaded to hardware so bridge filters can't catch traffic (bridge is executed by CPU, HW offloaded traffic never leaves switch chip). There are two options: 1) disable HW offload on one of two ports or 2) use switch chip menu to construct ACLs. I really wouldn't recommend option #1, it would hurt performance a lot.
You mentioned CRS model that doesn't exist (CRS1128G ... I'll assume we're talking about CRS112-8G-4S-IN), so have a look at ACL section of manual of CRS1xx/2xx series switches.
Re: filtering big local lan
Thank you!
I created some acl rules.
I only allowed the macs of the 4 machines that had to pass to my lan, then dropped everything.
it works!
Can I improve the rules further?
I created some acl rules.
I only allowed the macs of the 4 machines that had to pass to my lan, then dropped everything.
it works!
Can I improve the rules further?
Code: Select all
0 ;;; consent NVR1
table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=3C:EF:8C:20:XX:XX/FF:FF:FF:FF:FF:FF action=forward
attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no
1 ;;; consent NVR2
table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=3C:EF:8C:14:XX:XX/FF:FF:FF:FF:FF:FF action=forward
attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no
2 ;;; consent NVR3
table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=E4:24:6C:FF:XX:XX/FF:FF:FF:FF:FF:FF action=forward
attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no
3 ;;; consent NVR4
table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=C0:39:5A:AC:XX:XX/FF:FF:FF:FF:FF:FF action=forward
attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no
4 ;;; drop all
table=ingress invert-match=no src-ports=sfp9 custom-fields="" action=drop attack-filter-bypass=no ingress-vlan-filter-bypass=no
egress-vlan-filter-bypass=no isolation-filter-bypass=noRe: filtering big local lan
Can I improve the rules further?
I don't really have much experience with switch chip ACLs so I can't give you any further assistance.
Re: filtering big local lan
Vlans are cheap use them.
Who is online
Users browsing this forum: BonoVox and 25 guests