MAC Access-list extended to only allow Gateway traffic
I have the following scenario
We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it. The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.
Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command. So we implemented a MAC Access-List Extended ACL. Here is what we did
mac access-list extended BLAH
permit host 0000.XXXX.YYYY any
interface range fa 2/5 - 20
mac access-group BLAH out
The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20. We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening. The TUT devices are learning about MAC addresses that are on other TUT devices. Are we missing something here?
if you're applying a Port ACL to a L2 port then it can only be applied inbound and a MAC ACL will only filter non IP traffic.
I think you should either do a VACL with the mac access-list you configured or configure PVLAN with putting the port to gateway as promiscuous and other ports where your devices are connected as isolated ports.You'll also have to put your switch into VTP transparent mode to support this feature.
Join us live on Tuesday, March 9 at 10 am PT (and on demand after) as we take a closer look at the WAN architecture innovations that Cisco has to offer.
We'll take your questions live during the broadcast (and after), so post them below in the comments.
Hello everybody,I am newbies with setting cisco switch.I downloaded Catalyst 2960-X Switch Getting Started Guide but I can't access to Device Manager - Express Setup according to guide.If you follow the instructions and try to keep all LEDs (exc...
To participate in this event, please use the button to ask your questions
Ask questions from Monday, March 8 to Friday, March 19, 2021
All the knowledge of these four experts at your disposal!
Cisco Software-Defined Wide Area Network (SD-WAN) provid...
Community Live- ISR1100X-4G and ISR1100X-6G Platform Overview and Architecture
(Live event - Tuesday, 23 March, 2021 at 10:00 am Pacific/ 1:00 pm Eastern / 7:00 pm Paris)-
This event will have place on Tuesday 23rd, March 2021 at 10:00 hrs PDT&...