I have the following scenario
We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it. The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.
Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command. So we implemented a MAC Access-List Extended ACL. Here is what we did
mac access-list extended BLAH
permit host 0000.XXXX.YYYY any
interface range fa 2/5 - 20
mac access-group BLAH out
The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20. We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening. The TUT devices are learning about MAC addresses that are on other TUT devices. Are we missing something here?