Reset Search
 

 

Article

How to create an acl matching only arp reply packets

« Go Back

Information

 
TitleHow to create an acl matching only arp reply packets
Objective
This is a workaround of creating an acl matching only arp reply packets. 
Environment
  • EXOS All
Procedure
EXOS currently doesn't support the acl match condition for ARP operation field which is used to classify the types of ARP packets such as request or reply.
From the fact that arp reply packets are always unicast and arp request packets are always broadcast, the acl's matching conditions can be created to check if the mulitcast bit(the last bit in the first octet of mac address) is set to 0 and also if the ether-type is arp. As a result, it matches only arp reply packets.


entry arp-reply { 
if {
ethernet-destination-address 00:00:00:00:00:00 mask 01:00:00:00:00:00 ;
ethernet-type 0x0806 ;
} then {
permit or deny ;
} }
Additional notes
If you wish to match the ARP reply from a specific host, then you can use the following ACL -
entry test { 
if match all {
ethernet-type 0x0806;
arp-sender-address 10.1.1.1/30;
} then {
count arp_reply;
} 
}

 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255