MAC address filtering on CISCO 4506

M Talha · ‎08-25-2015

Hello Everyone,

i am running core switch with IOS as seen below in the show version command, Just wanted to know which IOS i need to upgrade to so that i can perform MAC address filtering on my core switch. Please suggest some IOS images with versions that can perform / support MAC address filtering, secondly if i upgrade my core switch to some suggested advance version of IOS image, does it going to effect the behavior of my core switch ?? Please help me in this regard and any help would be greatly appreciated.

Thanks

DC1#sh ver
Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-IPBASE-M), Version 12.2(50)SG5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Mon 14-Sep-09 14:31 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x1223C28C

ROM: 12.2(44r)SG5
Darkside Revision 4, Jawa Revision 20, Tatooine Revision 140, Forerunner Revision 1.74

DC1 uptime is 33 weeks, 5 days, 20 hours, 53 minutes
System returned to ROM by reload
System image file is "bootflash:cat4500e-ipbase-mz.122-50.SG5.bin"

cisco WS-C4506-E (MPC8548) processor (revision 6) with 524288K bytes of memory.
Processor board ID FOX1342H6VU
MPC8548 CPU at 1.33GHz, Supervisor 6-E
Last reset from Reload
15 Virtual Ethernet interfaces
100 Gigabit Ethernet interfaces
2 Ten Gigabit Ethernet interfaces
511K bytes of non-volatile configuration memory.

Configuration register is 0x102

Jon Marshall · ‎08-25-2015

What exactly do you mean by "mac address filtering" ?

The 4500 with your current IOS support mac address acls.

See this link for more details -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/50sg/configuration/guide/Wrapper-46SG/secure.html#wp1067244

Jon

M Talha · ‎08-25-2015

MAC address filtering to allow or deny users on specified vlan. Secondly if i upgarde my IOS does it going to effect the overall behavior of my core switch ??

Jon Marshall · ‎08-25-2015

Your IOS already supports that.

In terms of upgrading see Reza's answer.

You definitely need to read release notes and check all modules etc. are supported.

Jon

M Talha · ‎08-25-2015

Thank you so much Jon for the help, greatly appreciated :)

paul driver · ‎08-25-2015

Hello

Mac- address filtering is is just of the few options availble you also have:

Dynamic arp inspection =DIA
Ip Source Guard = IPSG
Vlan access maps -VAM

Below is an example of mac- address filtering which will deny connectivity between these two routers unless a static arp entry is applied to allow communication.

MAC Filtering:
############

1) Deny any mac on the two interfaces between R1 and R2 be be dyanmically assigned

Note:
0x806 0x0 is ehtertype for arp packets
ffff.ffff.ffff = is broadcast used by arp when sending initial arp request

I will deny the mac addresss of either rtr to added to these rtrs arp cache's

Switch -Connects R1- R2

mac access-list extended MAC
deny 000a.aa00.0000 0000.00ff.ffff any 0x806 0x0
permit any any

int fa0/1
switchport host
mac access-group MAC in

int fa0/2
switchport host
mac access-group MAC in

R1

interface FastEthernet0/0
description LInk to R2
mac 000a.aa11.1111
ip address 20.1.1.1 255.255.255.0

R2
interface FastEthernet0/0
description LInk to R1
mac 000a.aa22.2222
ip address 20.1.1.2 255.255.255.0

If you check arp table of each router you should see incomplete arp entry

Now if i try to ping between the rtrs it will fail due to the incomplete arp cache entries

R1
sh arp

R1#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 20.1.1.2 0 Incomplete ARPA

ping 20.1.1.2

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

R2#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 20.1.1.1 0 Incomplete ARPA

ping 20.1.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 20.1.1.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

Apply static arp entries on each rtr to allow communication:

R1
conf t
arp 20.1.1.2 000a.aa22.2222 arpa

R2
conf t
arp 20.1.1.1 000a.aa11.1111 arpa

now ping will be successful between either rtr.

res

Paul.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Reza Sharifi · ‎08-25-2015

Hi,

MAC address filtering should be supported on the version you are running. If you want to know what features are available in what IOS, use the feature navigator and look for the feature you need.

http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp

As for your other question if upgrade will change the behavior of your switch, it is hard to tell but you would need to read the release note for what ever version you are trying to upgrade to so there are no surprises. So, make a good backup of your config, select a version that has the feature sets you need, read the release notes, if you can, test it in the lab before putting it in production and finally be ready to downgrade in case something happens.

HTH

M Talha · ‎08-25-2015

Thank you so much Reza Sharifi for the help, i will definitely check in the feature navigator for this.Thanks once again :)