01-06-2012 02:58 PM - edited 03-07-2019 04:12 AM
It seems that mac-filtering and PACL's is rather straight forward but its not working on my L2 interface. Port-security works but this is not useful when trying to filter based on OUI.
What am I doing wrong in my config?
Linux box:
Obviously on the same subnet since it has an arp entry, you can also see that it is on a different port since my target box is the only MAC on g1/42.
:arp -an | grep 65.182.XYZ.38
? (65.182.XYZ.38) at 00:11:11:12:1d:62 [ether] on eth0
4948 Switch:
4948-TOP-PRI#sho mac- int g1/42
Unicast Entries
vlan mac address type protocols port
-------+---------------+--------+---------------------+--------------------
224 0011.1112.1d62 dynamic ip GigabitEthernet1/42
interface GigabitEthernet1/42
description WATSON-PUBLIC
switchport access vlan 224
switchport mode access
logging event link-status
load-interval 30
mac access-group WATSON in
mac access-group WATSON out
spanning-tree portfast
!
interface Vlan224
description Backbone-Subnet
no ip address
shutdown
end
FAILS to block pings:
mac access-list extended WATSON
permit 0012.1100.0000 0000.00ff.ffff any
FAILS to block pings:
mac access-list extended WATSON
deny 0011.1100.0000 0000.00ff.ffff any
FAILS to block pings:
mac access-list extended WATSON
deny any any
!
I may implement this on the VLAN eventually but in simple testing I haven't discovered why this doesn't work on the port level. Ultimately I want to allow this box and deny everything else but I'm testing it by trying to block it first. This is what I should use if the port level mac access-list is working.
mac access-list extended WATSON
permit 0011.1100.0000 0000.00ff.ffff any
01-07-2012 05:22 AM
Hi,
MAC ACL applied on a port will not work for IP traffic you'll have to use a VACL instead.
Regards.
Alain
01-07-2012 06:44 AM
Hello Alain,
Sadly, not even VLAN maps (VACLs) will allow filtering IP traffic based on MAC ACLs. The documentation at
puts it quite directly:
Access of all non-IP protocols is controlled with a MAC address and an Ethertype using MAC ACLs in VLAN maps. (IP traffic is not controlled by MAC ACLs in VLAN maps.)
To be completely honest, I do not know of any way of filtering IP traffic using MAC ACLs on current Catalysts.
Best regards,
Peter
01-07-2012 06:48 AM
Hi Peter,
thanks for correcting me, haven't been using VACLs a lot lately and I thought it could work.
Regards.
Alain
01-09-2012 08:51 AM
Port security works but I can't use a wildcard mask to filter based on OUI.
What solutions are available to me if mac filtering and VACL's are not applicable?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide