cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

1584
Views
0
Helpful
4
Replies
Beginner

Block all traffic based on OUI

It seems that mac-filtering and PACL's is rather straight forward but its not working on my L2 interface. Port-security works but this is not useful when trying to filter based on OUI.

What am I doing wrong in my config?

Linux box:

Obviously on the same subnet since it has an arp entry, you can also see that it is on a different port since my target box is the only MAC on g1/42.

:arp -an | grep 65.182.XYZ.38

? (65.182.XYZ.38) at 00:11:11:12:1d:62 [ether] on eth0

4948 Switch:

4948-TOP-PRI#sho mac- int g1/42   

Unicast Entries

vlan   mac address     type        protocols               port

-------+---------------+--------+---------------------+--------------------

224    0011.1112.1d62   dynamic ip                    GigabitEthernet1/42  

interface GigabitEthernet1/42

description WATSON-PUBLIC

switchport access vlan 224

switchport mode access

logging event link-status

load-interval 30

mac access-group WATSON in

mac access-group WATSON out

spanning-tree portfast

!

interface Vlan224

description Backbone-Subnet

no ip address

shutdown

end

FAILS to block pings:

mac access-list extended WATSON

permit 0012.1100.0000 0000.00ff.ffff any

FAILS to block pings:

mac access-list extended WATSON

deny 0011.1100.0000 0000.00ff.ffff any

FAILS to block pings:

mac access-list extended WATSON

deny any any

!

I may implement this on the VLAN eventually but in simple testing I haven't discovered why this doesn't work on the port level. Ultimately I want to allow this box and deny everything else but I'm testing it by trying to block it first. This is what I should use if the port level mac access-list is working.

mac access-list extended WATSON

permit 0011.1100.0000 0000.00ff.ffff any

4 REPLIES 4
Advisor

Block all traffic based on OUI

Hi,

MAC ACL applied on a port will not work for IP traffic you'll have to use a VACL instead.

Regards.

Alain

Don't forget to rate helpful posts.
Hall of Fame Cisco Employee

Block all traffic based on OUI

Hello Alain,

Sadly, not even VLAN maps (VACLs) will allow filtering IP traffic based on MAC ACLs. The documentation at

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/secure.html#wp1069162

puts it quite directly:

Access of all non-IP protocols is controlled with a MAC address and an Ethertype using MAC ACLs in VLAN maps. (IP traffic is not controlled by MAC ACLs in VLAN maps.)

To be completely honest, I do not know of any way of filtering IP traffic using MAC ACLs on current Catalysts.

Best regards,

Peter

Advisor

Block all traffic based on OUI

Hi Peter,

thanks for correcting me, haven't been using VACLs a lot lately and I thought it could work.

Regards.

Alain

Don't forget to rate helpful posts.
Beginner

Block all traffic based on OUI

Port security works but I can't use a wildcard mask to filter based on OUI.

What solutions are available to me if mac filtering and VACL's are not applicable?

CreatePlease to create content
Content for Community-Ad