Re: Filtering on 2960 by MAC

dohogue · ‎02-17-2010

I would like verifacation that this should work.

I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.

Extended MAC access list VC
permit host xxxx.xxxx.xxxx any

I would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming

Thank you for your help.

joereid44 · ‎02-17-2010

Or you could just set the port security to tie it to one MAC address.

dohogue · ‎02-17-2010

That sounds like it may be the easiest. Any idea how that is configured or where to look for the configuration examples? somehting like that was my orginal thought but could find nothing on it.

burleyman · ‎02-17-2010

Try this link...

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.html

Please rate any posts that help.

Mike

Ganesh Hariharan · ‎02-17-2010

I would like verifacation that this should work.

I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.

Extended MAC access list VC
permit host xxxx.xxxx.xxxx any

I would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming

Thank you for your help.

Hi,

MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses in a named MAC extended ACL.

Check out the belwo example hope that help

Switch(config)# mac access-list extended my-mac-acl
Switch(config-ext-macl)# deny any any aarp
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# exit
Switch(config)# interface Fastethernet0/10
Switch(config-if)# mac access-group my-mac-acl in
Switch(config-if)# end
Switch#

If helpful do rate the post

Ganesh.H

amk316316 · ‎03-07-2010

hi Ganesh.H

it did not work

c.walsh · ‎03-24-2010

Mac address filtering does not work if the traffic is IP based.

It only works for non-IP based traffic.

If this helps, please rate my post!

Colin

paolo bevilacqua · ‎03-24-2010

On a layer 2 switch, MAC ACL will work regardless of the packet type.

c.walsh · ‎03-24-2010

We tried this yesterday on a 2960, 3560 & a 3750 & it does not work.

The answer was provided by Cisco TAC, that the mac acl's only work for NON IP traffic.

This surprised us also.

Colin

paolo bevilacqua · ‎03-24-2010

Right. Thank you for correcting me.

c.walsh · ‎03-24-2010

Technically you are correct, because the 3560 & 3750 switches were L3 devices.

However the 2960 S series switch did not work & the TAC engineer pointed out in the config guide it mentions that L2 mac address ACL's only work with NON IP traffic.

Cheers

Colin

Alexander Demin · ‎06-30-2010

Anyway, is there some mechanism (I mean, on 3550/3560/3750 switches and 2960 also) to block _all_ incoming traffic from client on L2 port of a switch, based on client host source-mac address ? The goal is: clients source mac address should _not_ come from a specified interface into mac-address-table.

I specially mention that filtering should occur on a port, not in the whole vlan (I know about vlan-maps and mac-address-table static H.H.H vlan XXX drop).

Thanks!

Regards, Alex

DAO21-RIPE