Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1853
Views
5
Helpful
3
Replies

MAC Address Blocking

jwilde
Level 1
Level 1

‎10-26-2011 02:49 PM

I have a switch that is connected to two different entities (me3400-2csa).  One port i am marking as a S-TAG and on the other port I am feeding them video.  On the video port, I would only like to allow Cisco STB's to talk through the port but have not found the correct way of doing it.  I have tried mac access-lists and vlan maps to no avail.  I think with vlan maps it is blocking layer2, but forwarding the multicast through the ports.  I am guessing if i controlled the ip layer that would suffice.  Is there an easy way of blocking a block like:

00:23:be*

I can not find the correct method as it always either blocks everything or allows mcast through.  Here is one example that passes traffic after applying:

mac access-list extended OUI

permit host f04d.a29d.d1aa any

vlan access-map TEST 10

match mac address OUI

action drop

!

vlan filter TEST vlan-list 225

I would expect my multicast and ping to drop but it does not. 

I have also tried doing an int g0/2 applying internal mac access-group to no avail with deny. 

Labels:
0 Helpful
3 Replies 3

rsimoni
Cisco Employee
Cisco Employee

‎10-28-2011 08:58 AM

Hi,

MAC ACLs are not good for the purpose as they are meant to filter NON-IP traffic only. They are not effective for IP traffic.

Check also

http://www.cisco.com/en/US/docs/switches/metro/me3400/software/release/12.2_55_se/configuration/guide/swacl.html#wp1289037

I guess you need to filter based on IP addresses instead.

Riccardo

0 Helpful

jwilde
Level 1
Level 1
In response to rsimoni

‎10-28-2011 10:34 AM

The only problem is I can’t filter on ip traffic cause I don’t know the IP. I wish they did this access vendors do.

Jeff Wilde

Network Engineer

Park Region Telephone Company

PO Box 277

100 Main Street

Underwood, MN 56586

P: 218-826-8330

F: 218-826-6298

E: jeff.wilde@parkregion.com

0 Helpful

rsimoni
Cisco Employee
Cisco Employee
In response to jwilde

‎10-28-2011 01:23 PM

Jeff, ok I see.

Anyway if you know the MAC addresses you want to allow you can use Port Security feature for the purpose.

Have a look at this:

http://www.cisco.com/en/US/docs/switches/metro/me3400/software/release/12.2_50_se/configuration/guide/swtrafc.html#wp1038501

Hope this helps

Riccardo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents