Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1978
Views
5
Helpful
3
Replies

MAC Address Blocking

jwilde
Level 1
Level 1

‎10-26-2011 02:49 PM

I have a switch that is connected to two different entities (me3400-2csa).  One port i am marking as a S-TAG and on the other port I am feeding them video.  On the video port, I would only like to allow Cisco STB's to talk through the port but have not found the correct way of doing it.  I have tried mac access-lists and vlan maps to no avail.  I think with vlan maps it is blocking layer2, but forwarding the multicast through the ports.  I am guessing if i controlled the ip layer that would suffice.  Is there an easy way of blocking a block like:

00:23:be*

I can not find the correct method as it always either blocks everything or allows mcast through.  Here is one example that passes traffic after applying:

mac access-list extended OUI

permit host f04d.a29d.d1aa any

vlan access-map TEST 10

match mac address OUI

action drop

!

vlan filter TEST vlan-list 225

I would expect my multicast and ping to drop but it does not. 

I have also tried doing an int g0/2 applying internal mac access-group to no avail with deny. 

Labels:
0 Helpful
3 Replies 3

rsimoni
Cisco Employee
Cisco Employee

‎10-28-2011 08:58 AM

Hi,

MAC ACLs are not good for the purpose as they are meant to filter NON-IP traffic only. They are not effective for IP traffic.

Check also

http://www.cisco.com/en/US/docs/switches/metro/me3400/software/release/12.2_55_se/configuration/guide/swacl.html#wp1289037

I guess you need to filter based on IP addresses instead.

Riccardo

0 Helpful

jwilde
Level 1
Level 1
In response to rsimoni

‎10-28-2011 10:34 AM

The only problem is I can’t filter on ip traffic cause I don’t know the IP. I wish they did this access vendors do.

Jeff Wilde

Network Engineer

Park Region Telephone Company

PO Box 277

100 Main Street

Underwood, MN 56586

P: 218-826-8330

F: 218-826-6298

E: jeff.wilde@parkregion.com

0 Helpful

rsimoni
Cisco Employee
Cisco Employee
In response to jwilde

‎10-28-2011 01:23 PM

Jeff, ok I see.

Anyway if you know the MAC addresses you want to allow you can use Port Security feature for the purpose.

Have a look at this:

http://www.cisco.com/en/US/docs/switches/metro/me3400/software/release/12.2_50_se/configuration/guide/swtrafc.html#wp1038501

Hope this helps

Riccardo

Customers Also Viewed These Support Documents