cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7783
Views
10
Helpful
7
Replies

Filtering IP traffic by MAC address

stuartbyma
Level 1
Level 1

On Catalyst 3560 switch, I am trying to filter incoming IP traffic by MAC address. I have an interface filter set up to deny packets from a specific host with any destination, but the filter does nothing and still permits packets from this host.

!

mac access-list extended mac3

deny host 0200.0001.2120 any

!

Is this even possible? Is there another way I should be implementing this that will work? Thanks for any help!

7 Replies 7

Reza Sharifi
Hall of Fame
Hall of Fame

If you are trying to block a specific host, use the IP address to block it.

HTH

arunviswanath
Level 1
Level 1

I think you should bind the acl to the incoming interface.

or try using it with vlan access maps

cadet alain
VIP Alumni
VIP Alumni

Hi,

as far as i know it won't work this way because mac acls only match non ip traffic.

maybe you should try a MQC approach by classifying with source mac and do a drop policy for that class.

Regards.

Alain.

Don't forget to rate helpful posts.

Hi

     You can try configuring MAC Address-Based Traffic blocking with this comand:

             Switch(config)#mac-address-table static mac_address vlan vlan_id drop

       This will block all traffic to or from the configured MAC address in the specified VLAN.

HTH

tks for the tip

After some reading, it looks like this should work. But, my switch (3560) and IOS version (12.2-55) doesn't support a class map match destination-address mac command. The only way to match it is through an ACL, which as you said, will not work.

stuartbyma
Level 1
Level 1

Thanks for the suggestions everyone. I have already tried binding the MAC ACL to an interface, and to a VLAN, but to no avail. Today I will attempt to try the suggestions by HTH and use a static mac address-table entry to drop specific packets.

Review Cisco Networking for a $25 gift card