01-31-2012 06:46 AM - edited 03-07-2019 04:39 AM
On Catalyst 3560 switch, I am trying to filter incoming IP traffic by MAC address. I have an interface filter set up to deny packets from a specific host with any destination, but the filter does nothing and still permits packets from this host.
!
mac access-list extended mac3
deny host 0200.0001.2120 any
!
Is this even possible? Is there another way I should be implementing this that will work? Thanks for any help!
01-31-2012 07:22 PM
If you are trying to block a specific host, use the IP address to block it.
HTH
01-31-2012 08:51 PM
I think you should bind the acl to the incoming interface.
or try using it with vlan access maps
02-01-2012 03:50 AM
Hi,
as far as i know it won't work this way because mac acls only match non ip traffic.
maybe you should try a MQC approach by classifying with source mac and do a drop policy for that class.
Regards.
Alain.
02-01-2012 05:14 AM
Hi
You can try configuring MAC Address-Based Traffic blocking with this comand:
Switch(config)#mac-address-table static mac_address vlan vlan_id drop
This will block all traffic to or from the configured MAC address in the specified VLAN.
HTH
06-12-2020 11:47 AM
02-02-2012 06:53 AM
After some reading, it looks like this should work. But, my switch (3560) and IOS version (12.2-55) doesn't support a class map match destination-address mac command. The only way to match it is through an ACL, which as you said, will not work.
02-01-2012 05:45 AM
Thanks for the suggestions everyone. I have already tried binding the MAC ACL to an interface, and to a VLAN, but to no avail. Today I will attempt to try the suggestions by HTH and use a static mac address-table entry to drop specific packets.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: