Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5592
Views
0
Helpful
4
Replies

MAC Address-Based Traffic Blocking

Go to solution
k.adath2015
Level 1
Level 1

‎06-26-2015 09:36 PM - edited ‎03-08-2019 12:43 AM

Hi,

Since MAC Address-Based Traffic Blocking  does not work with  Multicast address(ipv6mcast) , is there a way to achieve the same in another way.

If it 's not possible  i can do a layer 3 acl  (i am already running a acl based on ipv4 address) 

 if i want to  add ipv6 acl  to the same vlan interface  where  ipv4 acl applied , how can i do that?

Is it ok running both ipv6 and ipv4 acl on the same interface, Does it add any other overhead on the switch 

Thanks

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to k.adath2015

‎06-27-2015 10:20 AM

Hi,

Actually i was talking  about the command  " mac address-table static 'mac address'  vlan x  drop "

Oh, I see. Well, this is not a filtering in the common sense of the word. Filtering means the use of ACLs that provide you with a certain granularity when choosing what exact traffic you want to permit or deny. Your approach is basically just an indiscriminate blackholing of all traffic destined to the particular MAC address, and this approach would - I presume - work for all frames, regardless of whether they carry IP packets or not.

The reason it does  not work with multicast  because the mcastadd cannot be add to the CAM table . Correct me if  iam wrong ?

I don't think so. Multicast MAC addresses can be added to CAM just like any other addresses, after all, the CAM is the only place that tells the switch how shall frames be delivered so it must be possible to add the multicast addresses there as well. However, it seems that the particular drop action is not supported for multicast MAC addresses, and this may well be a limitation of the hardware. I've just confirmed it on a 3560G - an attempt to tell the switch to drop a particular multicast traffic produced this output:

SW-Dist1(config)#mac address-table static 0100.0203.0405 vlan 1 drop
%Only unicast addresses can be configured to be dropped

Adding the same MAC to a specific port was accepted just fine.

You said  " These switch platforms allow MAC-based filter for non-IP frames "

Yes because I had filtering using ACLs on my mind. You can create a MAC ACL and apply it to an interface; however, that ACL will only apply to frames that carry a payload different than an IPv4 or an IPv6 packet. Some old platforms like Catalyst 2950 applied MAC ACLs to all traffic indiscriminately; however, since 2960 series, MAC ACLs apply to non-IP traffic only. That is what I meant when I wrote that. Your way of creating a static CAM entry is more like blackholing traffic; I would not call it "filtering" traffic, and I didn't originally think of that.

Best regards,
Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎06-26-2015 10:52 PM

Hi,

You have not told us what switch type are you using so I assume it is one of the relatively recent 2960/3560/3750 series. These switch platforms allow MAC-based filter for non-IP frames only. There is no way of filtering IPv4 or IPv6 flows on these platforms based on the MAC addresses. You will need to do the filtering with IPv4 and IPv6 access lists.

if i want to  add ipv6 acl  to the same vlan interface  where  ipv4 acl applied , how can i do that?

You first create the IPv6 ACL with the ipv6 access-list acl-name command, enter its contents, and then you will apply it to the interface using the ipv6 traffic-filter command. You do not care for the IPv4 access list at all - these are two different protocols that have their own independent sets of configuration including ACLs. They will not cause any conflicts.

Is it ok running both ipv6 and ipv4 acl on the same interface, Does it add any other overhead on the switch

It is perfectly OK, and it should not cause any special overhead on the switch.

Best regards,
Peter

0 Helpful

Go to solution
k.adath2015
Level 1
Level 1
In response to Peter Paluch

‎06-27-2015 08:37 AM

Hi  Peter,

" You have not told us what switch type are you using so I assume it is one of the relatively recent 2960/3560/3750 series.  "

its 3850 switch .

Actually i was talking  about the command  " mac address-table static 'mac address'  vlan x  drop " .

I think the above command works with unicast mac address and we can drop the traffic  going  to  'mac address'  from vlan X  . The reason it does  not work with multicast  because the mcastadd cannot be add to the CAM table . Correct me if  iam wrong ?

You said  " These switch platforms allow MAC-based filter for non-IP frames "

But it works for  unicast mac address  ? . If yes  why you said mac-based filter works only for non-ip  frames . 

Thanks a lot 

 

 

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to k.adath2015

‎06-27-2015 10:20 AM

Hi,

Actually i was talking  about the command  " mac address-table static 'mac address'  vlan x  drop "

Oh, I see. Well, this is not a filtering in the common sense of the word. Filtering means the use of ACLs that provide you with a certain granularity when choosing what exact traffic you want to permit or deny. Your approach is basically just an indiscriminate blackholing of all traffic destined to the particular MAC address, and this approach would - I presume - work for all frames, regardless of whether they carry IP packets or not.

The reason it does  not work with multicast  because the mcastadd cannot be add to the CAM table . Correct me if  iam wrong ?

I don't think so. Multicast MAC addresses can be added to CAM just like any other addresses, after all, the CAM is the only place that tells the switch how shall frames be delivered so it must be possible to add the multicast addresses there as well. However, it seems that the particular drop action is not supported for multicast MAC addresses, and this may well be a limitation of the hardware. I've just confirmed it on a 3560G - an attempt to tell the switch to drop a particular multicast traffic produced this output:

SW-Dist1(config)#mac address-table static 0100.0203.0405 vlan 1 drop
%Only unicast addresses can be configured to be dropped

Adding the same MAC to a specific port was accepted just fine.

You said  " These switch platforms allow MAC-based filter for non-IP frames "

Yes because I had filtering using ACLs on my mind. You can create a MAC ACL and apply it to an interface; however, that ACL will only apply to frames that carry a payload different than an IPv4 or an IPv6 packet. Some old platforms like Catalyst 2950 applied MAC ACLs to all traffic indiscriminately; however, since 2960 series, MAC ACLs apply to non-IP traffic only. That is what I meant when I wrote that. Your way of creating a static CAM entry is more like blackholing traffic; I would not call it "filtering" traffic, and I didn't originally think of that.

Best regards,
Peter

0 Helpful

Go to solution
k.adath2015
Level 1
Level 1
In response to Peter Paluch

‎06-28-2015 09:32 AM

Thanks Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card