how to block certain range of mac addresses

imjangulashvili · ‎04-17-2015

Hello, we have 4507 and 4510 switches. our goal is to block some IP traffic using certain group of mac addresses (from 0000.1111.2222 to 0000.FFFF.FFFF for example).

mac addresses cant be statically assigned to certain ports, so port security is useless in our situation.

when I create mac access list and apply deny statement like this:

Cisco(config-ext-macl)#deny 0000.1111.2222 0000.FFFF.FFFF any 0X800
% EtherType matching using MAC ACLs is not supported for IPv4, IPv6, ARP, and RARP packets on this platform

then this error occures.

so, what's the sollution? how can i block ip traffic based on certain range of mac addresses on Catalyst 4500 platform?

ahmed.gadi · ‎04-18-2015

I had almost same issue (cisco 6500), you can try this.

All our user subnet PCs were sending packets to IPv6 multicast MAC address, causing cpu to 99%. I use this command to drop all the packets destined to IPv6 multicast MAC address

mac-address-table static 3333.FF79.8806 vlan 2 drop

Thanks & Regards

Ahmed...

imjangulashvili · ‎05-05-2015

thanks for reply

but that configuration doesn't resolve my problem.

i've many different source and destination mac addresses, i can't write them all. also i've many vlans on that device so 1 mac address can drop in different vlans in different time.

The only thing i know is mac address range. for example i want to block all mac addressses, which begin with 0011.22XX.XXXX