Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2556
Views
0
Helpful
4
Replies

Block all traffic based on OUI

jradke
Level 1
Level 1

‎01-06-2012 02:58 PM - edited ‎03-07-2019 04:12 AM

It seems that mac-filtering and PACL's is rather straight forward but its not working on my L2 interface. Port-security works but this is not useful when trying to filter based on OUI.

What am I doing wrong in my config?

Linux box:

Obviously on the same subnet since it has an arp entry, you can also see that it is on a different port since my target box is the only MAC on g1/42.

:arp -an | grep 65.182.XYZ.38

? (65.182.XYZ.38) at 00:11:11:12:1d:62 [ether] on eth0

4948 Switch:

4948-TOP-PRI#sho mac- int g1/42   

Unicast Entries

vlan   mac address     type        protocols               port

-------+---------------+--------+---------------------+--------------------

224    0011.1112.1d62   dynamic ip                    GigabitEthernet1/42  

interface GigabitEthernet1/42

description WATSON-PUBLIC

switchport access vlan 224

switchport mode access

logging event link-status

load-interval 30

mac access-group WATSON in

mac access-group WATSON out

spanning-tree portfast

!

interface Vlan224

description Backbone-Subnet

no ip address

shutdown

end

FAILS to block pings:

mac access-list extended WATSON

permit 0012.1100.0000 0000.00ff.ffff any

FAILS to block pings:

mac access-list extended WATSON

deny 0011.1100.0000 0000.00ff.ffff any

FAILS to block pings:

mac access-list extended WATSON

deny any any

!

I may implement this on the VLAN eventually but in simple testing I haven't discovered why this doesn't work on the port level. Ultimately I want to allow this box and deny everything else but I'm testing it by trying to block it first. This is what I should use if the port level mac access-list is working.

mac access-list extended WATSON

permit 0011.1100.0000 0000.00ff.ffff any

Labels:
0 Helpful
4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

‎01-07-2012 05:22 AM

Hi,

MAC ACL applied on a port will not work for IP traffic you'll have to use a VACL instead.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to cadet alain

‎01-07-2012 06:44 AM

Hello Alain,

Sadly, not even VLAN maps (VACLs) will allow filtering IP traffic based on MAC ACLs. The documentation at

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/secure.html#wp1069162

puts it quite directly:

Access of all non-IP protocols is controlled with a MAC address and an Ethertype using MAC ACLs in VLAN maps. (IP traffic is not controlled by MAC ACLs in VLAN maps.)

To be completely honest, I do not know of any way of filtering IP traffic using MAC ACLs on current Catalysts.

Best regards,

Peter

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Peter Paluch

‎01-07-2012 06:48 AM

Hi Peter,

thanks for correcting me, haven't been using VACLs a lot lately and I thought it could work.

Regards.

Alain

Don't forget to rate helpful posts.
0 Helpful

jradke
Level 1
Level 1
In response to cadet alain

‎01-09-2012 08:51 AM

Port security works but I can't use a wildcard mask to filter based on OUI.

What solutions are available to me if mac filtering and VACL's are not applicable?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card