Filtering IP traffic by MAC address

stuartbyma · ‎01-31-2012

On Catalyst 3560 switch, I am trying to filter incoming IP traffic by MAC address. I have an interface filter set up to deny packets from a specific host with any destination, but the filter does nothing and still permits packets from this host.

!

mac access-list extended mac3

deny host 0200.0001.2120 any

!

Is this even possible? Is there another way I should be implementing this that will work? Thanks for any help!

Reza Sharifi · ‎01-31-2012

If you are trying to block a specific host, use the IP address to block it.

HTH

arunviswanath · ‎01-31-2012

I think you should bind the acl to the incoming interface.

or try using it with vlan access maps

cadet alain · ‎02-01-2012

Hi,

as far as i know it won't work this way because mac acls only match non ip traffic.

maybe you should try a MQC approach by classifying with source mac and do a drop policy for that class.

Regards.

Alain.

Don't forget to rate helpful posts.

venkata dandu · ‎02-01-2012

Hi

You can try configuring MAC Address-Based Traffic blocking with this comand:

Switch(config)#mac-address-table static mac_address vlan vlan_id drop

This will block all traffic to or from the configured MAC address in the specified VLAN.

HTH

GuilhermeGalhardo0590 · ‎06-12-2020

tks for the tip

stuartbyma · ‎02-02-2012

After some reading, it looks like this should work. But, my switch (3560) and IOS version (12.2-55) doesn't support a class map match destination-address mac command. The only way to match it is through an ACL, which as you said, will not work.

stuartbyma · ‎02-01-2012

Thanks for the suggestions everyone. I have already tried binding the MAC ACL to an interface, and to a VLAN, but to no avail. Today I will attempt to try the suggestions by HTH and use a static mac address-table entry to drop specific packets.