Alcatel Unleashed

Posted: **03 Sep 2024 07:53**

Hello.

I'm trying to create a policy that only allow certain mac-adresse on a specific port of the switch.

policy mac group cdcl-1 xx:xx:xx:xx:xx:xx aa:bb:cc:dd:ee

policy condition cond_cdcl-1 source port 1/1/10 source mac group cdcl-1 destination ip Any
policy action act_accept disposition accept
policy rule ru_cdcl-1 condition cond_cdcl-1 action act_accept
qos apply

But curently I wasn't able to get something running...
I miss something to get a "implicit deny" for the other mac adress..

could you help me out ?

Thank's in advance !

Posted: **03 Sep 2024 08:33**

Hi!
While you can certainly do this with a Policy, have you considered simply using Port-security instead? Unless there's a bigger configuration objective you are not mentioning, this seems like a good use for it. Something like:

Code: Select all

port-security port 1/1/10 admin-state enable
port-security port 1/1/10 mac-range low 01:23:45:00:00:00 high 01:23:45:ff:ff:ff

You can even have 8 ranges per port as well!

Posted: **03 Sep 2024 08:39**

Hello cristek.

I need to allow 6 differents mac adresses wich are not from the same vendor, so, not in the same range

EDIT : my bad, I haven't read the "8 range" part

I'll try that, thanks !

Posted: **03 Sep 2024 08:50**

Something like this?

Code: Select all

port-security port 1/1/1 maximum 6
port-security port 1/1/1 mac aa:aa:aa:11:11:11
port-security port 1/1/1 mac bb:bb:bb:11:11:12
port-security port 1/1/1 mac cc:cc:cc:11:11:13
port-security port 1/1/1 mac dd:dd:dd:11:11:14
port-security port 1/1/1 mac ee:ee:ee:11:11:15
port-security port 1/1/1 mac ff:ff:ff:11:11:16

Posted: **03 Sep 2024 09:10**

So, I've just tried it.

It work, but notas intended. :-/

With that, these 6 mac adresses will automatically get the default port vlan.

I use an unp profile on the switch, my default vlan is a "blocking vlan".

So, Yes, I have a bigger configuration objective i'm not mentioning... Sorry.

Posted: **03 Sep 2024 09:18**

You can add a vlan to it:

Code: Select all

port-security port 1/1/1 mac cc:cc:cc:11:11:13 vlan 123

Posted: **03 Sep 2024 09:35**

I saw that, but it only allow the default vlan.

But this seems to do the trick :

Code: Select all

policy mac group cdcl-1 AA:bb:CC:dd:EE:FF
policy condition cond_allow_cdcl-1 source port 1/1/10 source mac group cdcl-1
policy condition cond_drop_no_cdcl-1 source port 1/1/10
policy action act_drop disposition drop
policy action act_accept
policy rule ru_accept_cdcl-1 condition cond_allow_cdcl-1 action act_accept
policy rule ru_drop_no_cdcl-1 condition cond_drop_no_cdcl-1 action act_drop
qos apply

Alcatel Unleashed

policy and mac group

policy and mac group

Re: policy and mac group

Re: policy and mac group

Re: policy and mac group

Re: policy and mac group

Re: policy and mac group

Re: policy and mac group