02-17-2010 06:56 AM - edited 03-04-2019 07:31 AM
I would like verifacation that this should work.
I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.
Extended MAC access list VC
permit host xxxx.xxxx.xxxx any
I would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming
Thank you for your help.
02-17-2010 07:00 AM
Or you could just set the port security to tie it to one MAC address.
02-17-2010 07:21 AM
That sounds like it may be the easiest. Any idea how that is configured or where to look for the configuration examples? somehting like that was my orginal thought but could find nothing on it.
02-17-2010 07:51 AM
Try this link...
Please rate any posts that help.
Mike
02-17-2010 11:28 AM
I would like verifacation that this should work.
I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.
Extended MAC access list VC
permit host xxxx.xxxx.xxxx anyI would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming
Thank you for your help.
Hi,
MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses in a named MAC extended ACL.
Check out the belwo example hope that help
Switch(config)# mac access-list extended my-mac-acl
Switch(config-ext-macl)# deny any any aarp
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# exit
Switch(config)# interface Fastethernet0/10
Switch(config-if)# mac access-group my-mac-acl in
Switch(config-if)# end
Switch#
If helpful do rate the post
Ganesh.H
03-07-2010 12:16 AM
hi Ganesh.H
it did not work
03-24-2010 06:10 AM
Mac address filtering does not work if the traffic is IP based.
It only works for non-IP based traffic.
If this helps, please rate my post!
Colin
03-24-2010 06:33 AM
On a layer 2 switch, MAC ACL will work regardless of the packet type.
03-24-2010 06:38 AM
We tried this yesterday on a 2960, 3560 & a 3750 & it does not work.
The answer was provided by Cisco TAC, that the mac acl's only work for NON IP traffic.
This surprised us also.
Colin
03-24-2010 07:00 AM
Right. Thank you for correcting me.
03-24-2010 07:13 AM
Technically you are correct, because the 3560 & 3750 switches were L3 devices.
However the 2960 S series switch did not work & the TAC engineer pointed out in the config guide it mentions that L2 mac address ACL's only work with NON IP traffic.
Cheers
Colin
06-30-2010 01:05 AM
Anyway, is there some mechanism (I mean, on 3550/3560/3750 switches and 2960 also) to block _all_ incoming traffic from client on L2 port of a switch, based on client host source-mac address ? The goal is: clients source mac address should _not_ come from a specified interface into mac-address-table.
I specially mention that filtering should occur on a port, not in the whole vlan (I know about vlan-maps and mac-address-table static H.H.H vlan XXX drop).
Thanks!
Regards, Alex
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide