Dell 3348 Switch User Manual


 
204 Configuring Switch Information
www.dell.com | support.dell.com
4 Check the Remove check box.
5 Click Apply Changes. The MAC-based ACE is removed, and the device is updated.
Assigning MAC-Based ACEs to ACLs Using the CLI Commands
The following is an example. Station A is connected to port 5, and Station B is connected to
port 9. Station A has the MAC address 00-0B-CD-35-6A-00 (ip address: 10.0.0.1
255.255.255.0). Station B has the MAC address 00-06-6B-C7-A1-D8 (ip address: 10.0.0.2
255.255.255.0).
To implement a MAC ACL on port 5 to allow all traffic to move from Station A to Station
B, enter the following CLI commands
permit source mac address destination mac address
permit 00-0B-CD-35-6A-00 0.0.0.0.0.0 00-06-6B-C7-A1-D8 0.0.0.0.0.0
All traffic that matches the ACL passes the traffic, and all other traffic is denied. (There is
an additional promiscuous
deny all entered at the end of the ACL.)
For the above example, Station A is trying to send ICMP ECHO to Station B. The ICMP
fails, even if it is permitted by the MAC ACL. The problem is that Station A is trying to
send the ICMP ECHO to Station B, but it does not have an entry in the ARP table. Station
A tries to get the MAC address of Station B by ARP request that is the broadcast frame with
the source MAC of Station A (00-0B-CD-35-6A-00) and destination broadcast
(FF.FF.FF.FF.FF.FF). This frame is silently dropped because it does not match the MAC
ACL that was set up on port 5.
To solve this issue, the user has to enter the additional
permit line that allows the
broadcast frame:
permit 00-0B-CD-35-6A-00 0.0.0.0.0.0 FF.FF.FF.FF.FF.FF 0.0.0.0.0.0
NOTE: Even though a user intends to permit traffic from MAC address A to MAC address B,
the user cannot succeed with simple traffic like ICMP, because the additional broadcast is not
taken into consideration.
The following table summarizes the equivalent CLI commands for assigning MAC based
ACEs to ACLs as displayed in the Add ACE to MAC Based ACL page.