cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
15608
Views
0
Helpful
11
Replies
Beginner

Filtering on 2960 by MAC

I would like verifacation that this should work.

I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.

Extended MAC access list VC
    permit host xxxx.xxxx.xxxx any

I would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming

Thank you for your help.

Everyone's tags (1)
11 REPLIES 11
Beginner

Re: Filtering on 2960 by MAC

Or you could just set the port security to tie it to one MAC address.

Highlighted
Beginner

Re: Filtering on 2960 by MAC

That sounds like it may be the easiest. Any idea how that is configured or where to look for the configuration examples? somehting like that was my orginal thought but could find nothing on it.

Collaborator

Re: Filtering on 2960 by MAC

Re: Filtering on 2960 by MAC

I would like verifacation that this should work.

I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.

Extended MAC access list VC
    permit host xxxx.xxxx.xxxx any

I would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming

Thank you for your help.

Hi,

MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses in a named MAC extended ACL.

Check out the belwo example hope that help

Switch(config)# mac access-list extended my-mac-acl
Switch(config-ext-macl)# deny any any aarp
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# exit
Switch(config)# interface Fastethernet0/10
Switch(config-if)# mac access-group my-mac-acl in
Switch(config-if)# end
Switch#

If helpful do rate the post

Ganesh.H

Beginner

Re: Filtering on 2960 by MAC

hi Ganesh.H

it did not work

Beginner

Re: Filtering on 2960 by MAC

Mac address filtering does not work if the traffic is IP based.

It only works for non-IP based traffic.

If this helps, please rate my post!

Colin

Hall of Fame Master

Re: Filtering on 2960 by MAC

On a layer 2 switch, MAC ACL will work regardless of the packet type.

Beginner

Re: Filtering on 2960 by MAC

We tried this yesterday on a 2960, 3560 & a 3750 & it does not work.

The answer was provided by Cisco TAC, that the mac acl's only work for NON IP traffic.

This surprised us also.

Colin

Hall of Fame Master

Re: Filtering on 2960 by MAC

Right. Thank you for correcting me.

Beginner

Re: Filtering on 2960 by MAC

Technically you are correct, because the 3560 & 3750 switches were L3 devices.

However the 2960 S series switch did not work & the TAC engineer pointed out in the config guide it mentions that L2 mac address ACL's only work with NON IP traffic.

Cheers

Colin

Re: Filtering on 2960 by MAC

Anyway, is there some mechanism (I mean, on 3550/3560/3750 switches and 2960 also) to block _all_  incoming traffic from client on L2 port of a switch, based on client host source-mac address ? The goal is: clients source mac address should _not_ come from a specified interface into mac-address-table.

I specially mention that filtering should occur on a port, not in the whole vlan (I know about vlan-maps and mac-address-table static H.H.H vlan XXX drop).

Thanks!

Regards, Alex

DAO21-RIPE
CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards