Dell PowerConnect 3348 User's Guide - Page 204

www.dell.com | support.dell.com 4 Check the Remove check box. 5 Click Apply Changes. The MAC-based ACE is removed, and the device is updated. Assigning MAC-Based ACEs to ACLs Using the CLI Commands The following is an example. Station A is connected to port 5, and Station B is connected to port 9. Station A has the MAC address 00-0B-CD-35-6A-00 (ip address: 10.0.0.1 255.255.255.0). Station B has the MAC address 00-06-6B-C7-A1-D8 (ip address: 10.0.0.2 255.255.255.0). To implement a MAC ACL on port 5 to allow all traffic to move from Station A to Station B, enter the following CLI commands permit source mac address destination mac address permit 00-0B-CD-35-6A-00 0.0.0.0.0.0 00-06-6B-C7-A1-D8 0.0.0.0.0.0 All traffic that matches the ACL passes the traffic, and all other traffic is denied. (There is an additional promiscuous deny all entered at the end of the ACL.) For the above example, Station A is trying to send ICMP ECHO to Station B. The ICMP fails, even if it is permitted by the MAC ACL. The problem is that Station A is trying to send the ICMP ECHO to Station B, but it does not have an entry in the ARP table. Station A tries to get the MAC address of Station B by ARP request that is the broadcast frame with the source MAC of Station A (00-0B-CD-35-6A-00) and destination broadcast (FF.FF.FF.FF.FF.FF). This frame is silently dropped because it does not match the MAC ACL that was set up on port 5. To solve this issue, the user has to enter the additional permit line that allows the broadcast frame: permit 00-0B-CD-35-6A-00 0.0.0.0.0.0 FF.FF.FF.FF.FF.FF 0.0.0.0.0.0 NOTE: Even though a user intends to permit traffic from MAC address A to MAC address B, the user cannot succeed with simple traffic like ICMP, because the additional broadcast is not taken into consideration. The following table summarizes the equivalent CLI commands for assigning MAC based ACEs to ACLs as displayed in the Add ACE to MAC Based ACL page. 204 Configuring Switch Infor mation