ACL rules on CRS-354-48G-4S+2Q+

u2615 · Wed Aug 19, 2020 9:46 pm

Hi all,

I played around with switch rule ACLs and 802.1X and found out that I don't get the ACLs working properly.

My dynamic rules:

/interface ethernet switch rule> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0  D ;;; dot1x dynamic
      switch=switch1 ports=ether26 
      src-mac-address=00:24:54:XX:XX:XX/FF:FF:FF:FF:FF:FF mac-protocol=ipv6 
      copy-to-cpu=no redirect-to-cpu=no mirror=no 

 1  D ;;; dot1x dynamic
      switch=switch1 ports=ether26 
      src-mac-address=00:24:54:XX:XX:XX/FF:FF:FF:FF:FF:FF mac-protocol=ip 
      dst-address=10.0.0.0/8 copy-to-cpu=no redirect-to-cpu=no mirror=no 

 2  D ;;; dot1x dynamic
      switch=switch1 ports=ether26 
      src-mac-address=00:24:54:XX:XX:XX/FF:FF:FF:FF:FF:FF copy-to-cpu=no 
      redirect-to-cpu=no mirror=no new-dst-ports=""

When I understand this correctly, I shouldn't be able to ping 8.8.8.8, but it works.

Then I tried static rules:

/interface ethernet switch rule> print
Flags: X - disabled, I - invalid, D - dynamic 
 0 X  switch=switch1 ports=ether26 copy-to-cpu=no redirect-to-cpu=no mirror=no 
      new-dst-ports="" 

 1    switch=switch1 ports=ether26 mac-protocol=ip copy-to-cpu=no 
      redirect-to-cpu=no mirror=no new-dst-ports=""

With rule 0 disabled and only rule 1 active all IPv4 traffic should be blocked, but isn't. Rule 0 works and blocks everything.

I also tried to swap bytes (0x0800 -> 0x0008) but without success (like mentioned here viewtopic.php?f=2&t=162887&p=802962).

This is on a CRS-354-48G-4S+2Q+ with RouterOS 6.47.2.
What could be wrong?

ploquets · Sun Oct 18, 2020 6:49 am

Following
viewtopic.php?f=2&t=167744

ACL rules on CRS-354-48G-4S+2Q+

ACL rules on CRS-354-48G-4S+2Q+

Re: ACL rules on CRS-354-48G-4S+2Q+

Who is online