filtering big local lan

dvdlss · April 8, 2024, 4:49pm

Hi everyone
I have a very large LAN that I need to “filter”.
I’ll explain:
at some point on my LAN I installed a CRS1128G. this device has two cables connected, one to the entire network, on eth1, and one to the part of the LAN to be filtered, on sfp9.
all devices are on the same subnet
what kind of approach would you use to allow only a pool of IPs (or macs) to transit from sfp9 to eth1? (obviously I created the pool).

if I put the physical interfaces in a bridge, I can’t create a bridge-filter that works, all the devices continue to communicate

thanks in advance

mkx · April 8, 2024, 6:46pm

Since both ports connect devices in same subnet, they clearly have to be in same bridge.

But: simple bridge (no VLANs, etc.) is by default offloaded to hardware so bridge filters can’t catch traffic (bridge is executed by CPU, HW offloaded traffic never leaves switch chip). There are two options: 1) disable HW offload on one of two ports or 2) use switch chip menu to construct ACLs. I really wouldn’t recommend option #1, it would hurt performance a lot.
You mentioned CRS model that doesn’t exist (CRS1128G … I’ll assume we’re talking about CRS112-8G-4S-IN), so have a look at ACL section of manual of CRS1xx/2xx series switches.

dvdlss · April 9, 2024, 11:35am

Thank you!
I created some acl rules.
I only allowed the macs of the 4 machines that had to pass to my lan, then dropped everything.
it works!

Can I improve the rules further?

 0   ;;; consent NVR1
     table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=3C:EF:8C:20:XX:XX/FF:FF:FF:FF:FF:FF action=forward 
     attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no 

 1   ;;; consent NVR2
     table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=3C:EF:8C:14:XX:XX/FF:FF:FF:FF:FF:FF action=forward 
     attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no 

 2   ;;; consent NVR3
     table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=E4:24:6C:FF:XX:XX/FF:FF:FF:FF:FF:FF action=forward 
     attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no 

 3   ;;; consent NVR4
     table=ingress invert-match=no src-ports=sfp9 custom-fields="" mac-src-address=C0:39:5A:AC:XX:XX/FF:FF:FF:FF:FF:FF action=forward 
     attack-filter-bypass=no ingress-vlan-filter-bypass=no egress-vlan-filter-bypass=no isolation-filter-bypass=no 

 4   ;;; drop all
     table=ingress invert-match=no src-ports=sfp9 custom-fields="" action=drop attack-filter-bypass=no ingress-vlan-filter-bypass=no 
     egress-vlan-filter-bypass=no isolation-filter-bypass=no

mkx · April 9, 2024, 12:49pm

I don’t really have much experience with switch chip ACLs so I can’t give you any further assistance.

llamajaja · April 9, 2024, 6:03pm

Vlans are cheap use them.