Hello Alessio,
You have quite an overview! Yes, indeed - the 2960 Catalysts appear to unofficially support VACLs with the most recent IOS versions. I haven't had any more word from Cisco on that but I guess that once they got it running, they're probably not going to throw this functionality away.
Blocking IP traffic based on MAC addresses is generally difficult on recent Catalyst switches. This is because a MAC ACL applies only to non-IP traffic. In other words, you can not use MAC ACL to filter frames that carry IP packets. This is valid for 2960, 3560 and higher switches. Older switches behaved differently, e.g. the 2950 switch was capable of filtering even IP traffic by a MAC ACL. However, because Sharma has a 2960 switch, the MAC ACLs or VACLs are not an option for him to filter IP traffic based on MAC ACLs.
Remember that if you will filter these guys in order to access the internet, possibly the ACL direction should be out:
ip access-group acl_number out
Ummm, this would not work, sadly, because of two reasons:
- You cannot refer to a MAC ACL using the ip access-group command. You need to use the mac access-group instead.
- Low-end Catalysts like 2960 support only the in direction for port ACLs. The out direction is not available
I do not think that the router supports MAC ACLs at all.
In my personal opinion, the correct solution should be:
- Assign all IP addresses from the DHCP server based on clients' MAC addresses (a static binding on the DHCP server making sure that a single MAC address always gets the same IP address)
- On the 2960, use the DHCP Snooping, Dynamic ARP Inspection and IP Source Guard to prevent stations from stealing and/or spoofing their IPs or MAC addresses.
- Perform further filtering based on IP addresses, as the steps above will ensure a 1:1 IP:MAC mapping.
Would this be an acceptable solution for you, Sharma?
Best regards,
Peter
