01-17-2006 07:47 AM - edited 03-03-2019 01:28 AM
I need to block all traffic to/from certain MAC addresses from within a certain VLAN on a 6500 running CatOS. Is there a way to do do per-VLAN MAC-based access-lists?
Solved! Go to Solution.
01-17-2006 07:57 AM
Use the "set cam filter" command. See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/7_4/config/sec_port.htm
for details.
Does this help? Please rate it if it does.
01-17-2006 07:57 AM
Use the "set cam filter" command. See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/7_4/config/sec_port.htm
for details.
Does this help? Please rate it if it does.
01-17-2006 08:13 AM
What is the cmd in IOS? Thanks
01-17-2006 10:04 AM
The IOS command functional equivalent is "mac access-list extended" Here is a snippet from the IOS command reference that covers the highlights:
Once you enter the mac access-list extended name command, use the following subset to create or
delete entries in a MAC-access list:
[no] {permit | deny} {{src-mac mask | any} {dest-mac mask} | any} [protocol [vlan vlan]
[cos value]]}
Reference "Catalyst 6500 Series Cisco IOS Command Reference, 12.2SX" (http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_command_reference_book09186a0080160cd0.html) page 2-357.
01-17-2006 08:16 AM
yes, perfect!! Thank you!!!!
01-20-2006 01:13 PM
I was looking for something simular: how to block access from unknown mac addresses on a switch. Problem is that the clients are laptops that can move between ports on the switch. The above 'mac acl' seems to be for non-ip traffic only.
'Switchport port-security' seems to limit a mac address to a certain port, so moving to another port will result in a violation.
Any thoughts on a solution?
01-20-2006 01:38 PM
Hello,
not sure about unknown MAC addresses, but if you have an unused port on your switch, you could blackhole traffic for a specific MAC address:
mac-address-table static 0020.1223.e3f4 interface GigabitEthernet0/2
Since static entries take precedence over dynamic entries, all traffic for that MAC address will effectively be dropped.
Regards,
GP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide