Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1591
Views
0
Helpful
3
Replies

Filter IP traffic by MAC address on Catalyst 4500

and-anders
Level 1
Level 1

‎12-20-2012 04:26 AM - edited ‎03-07-2019 10:42 AM

We want to filter IP traffic by MAC address on Catalyst 4500. Since we are using bonding (active-backup mode) we need those mac addresses appear on different ports. Below are solutions that we have tried:

  1. ACL but it does not      work since mac acls only match non ip traffic (We CAN NOT use ip acl).

  1. Use a static mac      address-table entry to ALLOW specific mac addresses. It does not work      either since the same MAC address needs to be seen on a different port.
    Catalyst 4500 does not support auto-learn option (as e.g. Nexus 5000).

Please give us a hint how to proceed!

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Peter Paluch
Cisco Employee
Cisco Employee

‎12-23-2012 03:09 PM

Hello,

I am afraid that neither of these solutions will work for you, for reasons you have very nicely explained yourself.

In my opinion, the only viable solution is to use IP Source Guard that makes sure that only communication with approved IP/MAC binding will be permitted. Are you familiar with the IP Source Guard? In order to do this flexibly, you will need to assign the addresses to your stations via DHCP (you can always configure DHCP to assign fixed IP addresses to predefined MAC addresses) and run DHCP Snooping plus the IP Source Guard. Apart from this, I am not sure if there is any other technique you could use.

Read more here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/dhcp.html

Best regards,

Peter

0 Helpful

and-anders
Level 1
Level 1
In response to Peter Paluch

‎01-10-2013 01:55 AM

Hi Peter,

Thank you for your response.

Unfortunaly we can not use DHCP either ;-). We are using static IP addresses.

Any other suggestion?

Best regards,

Anders

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to and-anders

‎01-10-2013 06:54 AM

Hello Anders,

The same guide I've posted earlier shows that the IP Source Guard can be configured with static IP-to-MAC mappings so you don't need the DHCP and the DHCP Snooping. Perhaps this could be a solution for you...?

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/dhcp.html#wp1146308

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card