cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1152
Views
0
Helpful
3
Replies
Highlighted
Beginner

Filter IP traffic by MAC address on Catalyst 4500

We want to filter IP traffic by MAC address on Catalyst 4500. Since we are using bonding (active-backup mode) we need those mac addresses appear on different ports. Below are solutions that we have tried:

  1. ACL but it does not      work since mac acls only match non ip traffic (We CAN NOT use ip acl).

  1. Use a static mac      address-table entry to ALLOW specific mac addresses. It does not work      either since the same MAC address needs to be seen on a different port.
    Catalyst 4500 does not support auto-learn option (as e.g. Nexus 5000).

Please give us a hint how to proceed!

Everyone's tags (3)
3 REPLIES 3
Hall of Fame Cisco Employee

Filter IP traffic by MAC address on Catalyst 4500

Hello,

I am afraid that neither of these solutions will work for you, for reasons you have very nicely explained yourself.

In my opinion, the only viable solution is to use IP Source Guard that makes sure that only communication with approved IP/MAC binding will be permitted. Are you familiar with the IP Source Guard? In order to do this flexibly, you will need to assign the addresses to your stations via DHCP (you can always configure DHCP to assign fixed IP addresses to predefined MAC addresses) and run DHCP Snooping plus the IP Source Guard. Apart from this, I am not sure if there is any other technique you could use.

Read more here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/dhcp.html

Best regards,

Peter

Beginner

Filter IP traffic by MAC address on Catalyst 4500

Hi Peter,

Thank you for your response.

Unfortunaly we can not use DHCP either ;-). We are using static IP addresses.

Any other suggestion?

Best regards,

Anders

Hall of Fame Cisco Employee

Filter IP traffic by MAC address on Catalyst 4500

Hello Anders,

The same guide I've posted earlier shows that the IP Source Guard can be configured with static IP-to-MAC mappings so you don't need the DHCP and the DHCP Snooping. Perhaps this could be a solution for you...?

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/dhcp.html#wp1146308

Best regards,

Peter

CreatePlease to create content
Content for Community-Ad
July's Community Spotlight Awards