cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1750
Views
0
Helpful
1
Replies

MAC Access-list extended to only allow Gateway traffic

duane.larson
Level 1
Level 1

I have the following scenario

We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it.  The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.

Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command.  So we implemented a MAC Access-List Extended ACL.  Here is what we did

mac access-list extended BLAH

permit host 0000.XXXX.YYYY any

interface range fa 2/5 - 20

mac access-group BLAH out

The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20.  We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening.  The TUT devices are learning about MAC addresses that are on other TUT devices.  Are we missing something here?

1 Reply 1

cadet alain
VIP Alumni
VIP Alumni

Hi,

if you're applying a Port ACL to a L2 port then it can only be applied inbound and a MAC ACL will only filter non IP traffic.

I think you should either do a VACL with the mac access-list you configured or configure PVLAN with putting the port to gateway as promiscuous and other ports where your devices are connected as isolated ports.You'll also have to put your switch into VTP transparent mode to support this feature.

Here is a link for PVLAN:http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/18ew/configuration/guide/pvlans.html

And another one for VACL:http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/18ew/configuration/guide/secure.html#wp1051696

Regards.

Alain

Don't forget to rate helpful posts.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: