GS2210 Classifier and Policy rules logic
Guru Member
I make the following:
---------------
Classifier 1 MAC allow
port 19
Source MAC xx:xx:xx:xx:xx:xx
---------------
Classifier 2 Block all port 19
port 19
---------------
Classifier 3 DHCP_cast_port_19_allow
port 19
Destination MAC ff:ff:ff:ff:ff:ff
Source port 68
Destination port 67
-----------------
Classifier 4 DHCP_cast_port_19_block
port 19
Source port 68
Destination port 67
-----------------
Classifier 5 TCP445dropin2
port 19
Destination port 445
Policy rules
1 a0000000000000001 Classifier 1 MAC allow
2 a0000000000000002 Classifier 2 Block all port 19 with Discard the packet
3 a0000000000001 Classifier 3 DHCP_cast_port_19_allow
4 a000000001 Classifier 4 DHCP_cast_port_19_block and TCP445dropin2 with Discard the packet
Here are somethings that happen:
Only a given MAC should be allowed everything else thats not by that Source MAC should be dropped by rule 2...and no thats not how it works because rule 3 allows any Source MAC to DHCP out. This to me is a problem?
Another oddness is if you TCP ping port 445 out you would think rule 1 would allow it..and no thats not how it works because rule 4 will drop it. This I think is fine...
I know the GS2210 is EOL but was thinking new models might have the same problem?
Accepted Solution
-
@PeterUK
Please activate match order to manual in classifier global setting then should run based on the weight.
0
Zyxel Employee
All Replies
-
@PeterUK,
I assume you did not change the weight setting (which means are all equal, 32767 by default), if it is the case then the rule with the single classifier which has more criteria then has the higher priority.
In this case, your rule 3's classifier has the most criteria and therefore has the highest priority, and rule 2 has the least priority.
I recommend setting the weight to change the priority, the higher the number, the higher the rule’s priority.0 -
Unfortunately changing the weight for Classifier 3 only applies to a rule with many Classifiers to that rule not over other rules so rule 2 for other DHCP MAC traffic gets allowed by rule 3.
0 -
0
-
I think how its working is Ethernet any is preferred over IP then IP is preferred over layer 3 or 4 and then over MAC?
So the switch get a DHCP by other MAC this gets checked by rule 1 which dose not match then rule 2 which matches but the switch then carries on if there is a IP, layer 3 or 4 then rule 3 allows it.
0 -
@PeterUK
Please activate match order to manual in classifier global setting then should run based on the weight.
0 -
Well that blocked everything until I changed the weight of Classifier 1 MAC allow to 32768 but that then allowed Classifier 5 TCP445dropin2 so had to change its weight to 32769.
It seems the Policy Rule order is not followed ....
Thanks changing match order to manual does work but feel auto could be made better if it follows Policy Rule order.
0 -
Hmm....I seem to come across a limitation with what I'm trying to do without using another set of ports or set a Source MAC for DHCP.
I want I single MAC to be allowed and at the same time only allow DHCP broadcast and block outgoing DHCP Unicast so I can only do DHCP broadcast only but this allowed another MAC to DHCP or single MAC only but allow DHCP Unicast....
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 151 Nebula Ideas
- 98 Nebula Status and Incidents
- 5.7K Security
- 277 USG FLEX H Series
- 277 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 42 Wireless Ideas
- 6.4K Consumer Product
- 250 Service & License
- 395 News and Release
- 85 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.6K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 74 Security Highlight
