Community discussions

MikroTik App
 
jmginer
Member Candidate
Member Candidate
Topic Author
Posts: 153
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Switch ACL to restrict IP usage

Mon Jan 17, 2022 12:16 pm

Hi, we are going to offer dedicated servers to our customers, they will have root access. We want to prevent a customer from being able to configure any IP from our network on their server.

I guess we will have to create an ACL rule on each port of the switch authorizing only the client IPs.

What I have not found is to create a negative condition, example:

If the IP is not "the authorized one" action DROP.

Or how would it be?

Thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Switch ACL to restrict IP usage

Mon Jan 17, 2022 12:21 pm

The square in front of a condition where a "!" appears when you click it is the "NOT" operator.
 
jmginer
Member Candidate
Member Candidate
Topic Author
Posts: 153
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Re: Switch ACL to restrict IP usage

Mon Jan 17, 2022 8:04 pm

The square in front of a condition where a "!" appears when you click it is the "NOT" operator.

This option is not available in switch ACL.
That's why I open this post :)
Maybe there is some other way to do what I need?
I think is a very basic function for a switch...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Switch ACL to restrict IP usage

Mon Jan 17, 2022 8:21 pm

Well, switch ACL does not exist, it is switch rule. It is not really intended for access control, but to redirect traffic in a different direction than it would normally flow. E.g. to send only some of the traffic, that is normally switched, to the CPU.

I guess you could work around it by having rules that redirect the traffic you want to handle to one port, and finally redirect all other traffic (IP 0.0.0.0/0) to another port where nothing is connected. Or to the CPU, where it can be logged for example.

In a higher-end device (you do not mention the device type) it should be possible to do some things in bridge filters, but you need to check at what point it will drop the HW Offload as you probably do not want that to happen.
 
jmginer
Member Candidate
Member Candidate
Topic Author
Posts: 153
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Re: Switch ACL to restrict IP usage

Mon Jan 17, 2022 8:26 pm

Isn't there an option in Mikrotik switches to restrict the IPs authorized to use a given port?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Switch ACL to restrict IP usage

Mon Jan 17, 2022 8:31 pm

I don't know what your exact configuration is...
What i would do is set the ARP to reply-only either on the Bridge or VLAN interface used, depending on the configuration and then set to the DHCP the add-arp-for-leases=yes parameter or static-only and manually enter the arp entry...
 
jmginer
Member Candidate
Member Candidate
Topic Author
Posts: 153
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Re: Switch ACL to restrict IP usage

Mon Jan 17, 2022 8:47 pm

The servers are configured with static IP.

But as I said in the first message, the client has root access and can change the IP to another... Technically he can change it.

What we have to do is to prevent that when he sets another IP, it works for him...

For example:

We give him the server configured with IP: 5.134.110.50/24

But he, accesses the network configuration and changes it to: 5.134.110.51/24

What should happen at that moment is that the server stops working (network down), because the IP .51 is not authorized.
 
jmginer
Member Candidate
Member Candidate
Topic Author
Posts: 153
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 7:25 pm

In Arista, this is done by ACL rules
https://www.arista.com/en/um-eos/eos-ac ... route-maps
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 7:59 pm

I don't get it. What switch? Just use /ip services allow-from=x.x.x.x/yy or setup some chain=input firewall rules?
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 8:03 pm

I don't get it. What switch? Just use /ip services allow-from=x.x.x.x/yy or setup some chain=input firewall rules?
That's not what the OP asks for...
 
mada3k
Long time Member
Long time Member
Posts: 687
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 9:55 pm

Now I get it... Layer-2 security/filter using Layer-3 addresses.. Switch ACL can never check the L3-adress used.

Hmmm.. Static ARP entries on the router/gateway?
 
jmginer
Member Candidate
Member Candidate
Topic Author
Posts: 153
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 10:01 pm

Now I get it... Layer-2 security/filter using Layer-3 addresses.. Switch ACL can never check the L3-adress used.

Hmmm.. Static ARP entries on the router/gateway?
How can you control in a router the IPs allowed in a switch port ?
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 10:20 pm

Now I get it... Layer-2 security/filter using Layer-3 addresses.. Switch ACL can never check the L3-adress used.
You can on CRS3xx https://wiki.mikrotik.com/wiki/Manual:C ... _.28ACL.29, CRS1xx/2xx https://wiki.mikrotik.com/wiki/Manual:C ... ntrol_List and even QCA8337/Atheros8327/Atheros8316 https://wiki.mikrotik.com/wiki/Manual:S ... Rule_Table
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 10:27 pm

The square in front of a condition where a "!" appears when you click it is the "NOT" operator.
This option is not available in switch ACL.
You could use rules to permit packets from the correct source IP on each client port, followed by a drop rule for any IP from all client ports.
 
jmginer
Member Candidate
Member Candidate
Topic Author
Posts: 153
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 10:34 pm


This option is not available in switch ACL.
You could use rules to permit packets from the correct source IP on each client port, followed by a drop rule for any IP from all client ports.
Thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10197
Joined: Mon Jun 08, 2015 12:09 pm

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 10:49 pm

I already suggested that in reply #4, but AFAIK there is no action to drop/accept in a switch rule, only to send the traffic to a specified port or the CPU.
But that may be different on the device that you have.

Anyway, when you can spare a port you can still use that method, or you can redirect unmatched traffic to the CPU and see what is happening.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Switch ACL to restrict IP usage

Wed Jan 19, 2022 10:56 pm

AFAIK there is no action to drop/accept in a switch rule, only to send the traffic to a specified port or the CPU.
The "drop" is obtained by means of setting an empty list of permitted egress ports.
 
jmginer
Member Candidate
Member Candidate
Topic Author
Posts: 153
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Re: Switch ACL to restrict IP usage  [SOLVED]

Wed Jan 19, 2022 11:34 pm


This option is not available in switch ACL.
You could use rules to permit packets from the correct source IP on each client port, followed by a drop rule for any IP from all client ports.
It's working ok!
/interface ethernet switch acl
add ip-src=188.1.2.3 mac-protocol=ip src-ports=ether2
add mac-protocol=ip src-ports=ether2 action=drop
add ip-dst=188.1.2.3 mac-protocol=ip table=egress dst-ports=ether2 
add table=egress dst-ports=ether2 action=drop
After executing these rules, only IP 188.1.2.3 is working on port 2 of the switch.

Perfect :)
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11444
Joined: Thu Mar 03, 2016 10:23 pm

Re: Switch ACL to restrict IP usage

Thu Jan 20, 2022 9:00 am

For educational purposes it would be great if you spelled out all the relevant properties, also those which keep default values in your particular case. E.g.:
/interface ethernet switch acl
add ip-src=188.1.2.3 mac-protocol=ip src-ports=ether2 table=ingress action=forward
add mac-protocol=ip src-ports=ether2 table=ingress action=drop
add ip-dst=188.1.2.3 mac-protocol=ip table=egress dst-ports=ether2 action=forward
add table=egress dst-ports=ether2 action=drop

Makes posted configuration much more self-documenting IMO.
 
vasa85
just joined
Posts: 11
Joined: Mon Mar 03, 2014 8:10 pm

Re: Switch ACL to restrict IP usage

Wed Jan 11, 2023 8:51 pm

I stumbled accros this thread as I have exactly the same issue.

Your solution looks good so I wanted to try it out. But when I do it in my lab the "drop" rule gets triggered as well even if I have an accept rule just before it. According to the Wiki https://help.mikrotik.com/docs/display/ ... -RuleTable only the first rule should trigger.

If there are multiple rules that can match, then only the first rule will be triggered.

Here is my config running on an RB2011 6.49.7.
/interface ethernet switch rule
add ports=ether2 src-address=10.153.4.2/32 switch=switch1 comment="Allow"
add ports=ether2 dst-address=10.153.4.2/32 switch=switch1 comment="Allow"
add ports=ether2 switch=switch1 new-dst-ports="" comment="Drop"

The first two rules is to allow source and destination for the customer IP on the interface ether2, and the last rule is to drop anything else on the port. But as soon as the last rule is active all traffic gets dropped. Why can't I get it to work?
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Switch ACL to restrict IP usage

Wed Jan 11, 2023 9:10 pm

Try adding ports=ether2 switch=switch1 mac-protocol=arp anywhere before the last rule, does it make a difference?
 
vasa85
just joined
Posts: 11
Joined: Mon Mar 03, 2014 8:10 pm

Re: Switch ACL to restrict IP usage

Wed Jan 11, 2023 10:11 pm

No difference I'm affraid
 
jmginer
Member Candidate
Member Candidate
Topic Author
Posts: 153
Joined: Tue Dec 11, 2012 4:56 am
Contact:

Re: Switch ACL to restrict IP usage

Thu Jan 12, 2023 9:47 am

Try to add the first rule

add dst-port=67-68 ports=sfp-sfpplus1 protocol=udp switch=switch
 
vasa85
just joined
Posts: 11
Joined: Mon Mar 03, 2014 8:10 pm

Re: Switch ACL to restrict IP usage

Thu Jan 12, 2023 4:43 pm

No change. That is for DHCP and we only use static IP.
 
vasa85
just joined
Posts: 11
Joined: Mon Mar 03, 2014 8:10 pm

Re: Switch ACL to restrict IP usage

Fri Jan 13, 2023 6:25 pm

I finally got it working. After fiddeling around it works when I add a rule at the top to allow all traffic on the customer port. After this rule I can add rules to allow the customer IP, and at the bottom a general drop rule. I also had to add mac-protocol=ip.

When the customer changes to another IP it gets blocked. Only the customer IP 10.153.4.2 is working.

This is the solution.
/interface ethernet switch rule
add ports=ether2 switch=switch1 comment="Allow all customer port ether2"
add ports=ether2 switch=switch1 mac-protocol=ip dst-address=10.153.4.2/32 comment="Allow customer IP"
add ports=ether2 switch=switch1 mac-protocol=ip new-dst-ports="" comment="Drop all IP"

I figured that the rules only apply in incoming ports so I only needed the allow rule for the customer source address. The rule with customer destionation address was unnecessary.
 
sindy
Forum Guru
Forum Guru
Posts: 10206
Joined: Mon Dec 04, 2017 9:19 pm

Re: Switch ACL to restrict IP usage

Fri Jan 13, 2023 6:52 pm

If you really need the topmost rule for IP packets from 10.153.4.2 to work, it is a bug. Even the fact that you could add dst-address without specifying mac-protocol=ip is not nice, but I hesitate to call it a bug.

If you want to restrict traffic towards the customer address, you can add rules matching on ports=switch1-cpu.

Plus as you have correctly figured that the rules are applied on ingress, matching on dst-address in the second rule makes no sense.

Who is online

Users browsing this forum: baragoon, GoogleOther [Bot], intania, matbcvo, RiStaR, syahpian and 78 guests