cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
835
Views
5
Helpful
15
Replies

Mac address Traffic Blocking

Eng-Ruthless
Level 1
Level 1

I executed the following command on the switch in the environment I work in:

"mac address-table static XXXX.XXXX.XXXX vlan X drop"

My intention was to prevent a single PC from accessing the network. However, my curiosity led me to create a lab on eve-ng and I used the above command there. However, I noticed that the PC was still able to ping another PC or request DHCP and actually receive it.

Now I am confused whether the command actually works or not.

It should be noted that the switches I work with are Catalyst, while in the eve-ng lab I used Nexus switches.

Please provide any clarification that could help me, I would greatly appreciate it.

1 Accepted Solution

Accepted Solutions

It eve-ng issue

I run lab and same the NSK must drop this mac which learn in vlan 10 but still the PC can ping to other 
MHM

Screenshot (566).pngScreenshot (567).png

View solution in original post

15 Replies 15

balaji.bandi
Hall of Fame
Hall of Fame

can you give some example ? what device it able to communicate in the same VLAN ?

May be you can use MAC ACL for this use case if i understand correctly.

you can refer the guide for that syntax if you like to prevent the MAC address coming from port.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli_rel_4_0_1a/CLIConfigurationGuide/MACAddress.pdf

you can try MAC ACL as below :

mac access-list extended bmac
deny host abcd.efgh.ijkl any
permit any any

interface x/x
mac access-group bmac in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Really appreciative of your support and help.

 

But I do not want to use MAC ACL, I want to use the command that was mentioned. It should actually have the same function as the mac acl as per my knowledge because it will drop all traffic. Please correct me if I'm mistaken.

 

Ex (eve-ng lab)

I added 3 switches

2 Access with each device exit link to core for information not between 2 access link

1 Core

2 PCs, one connected to Acc1 and the other connected to Acc2

 

I applied the command on Core so that if it receives the mac address from acc1 it drops it but it can still communicate with the other side whether in the same vlan or different vlan.

The command should work 

But which mac you use in command?

Did you use mac of interface or SW?

Also do show mac address 

See if NSK add different Mac tha  what yoh use in command 

MHM

I used the mac address present on the port going to the pc windows. Notably from NSK I showed the mac address and the mac address was not found and it appeared to me that the state is drop but the pc is still able to access the network.

 

Is it possible that the command does not work in the virtual environment and does not simulate reality, or what?

It can eve-ng issue' I will test it tonight in my lab 

But for your case 

Do you see any mac in interface connect to PC's

MHM

I would be grateful if you could share the test results that will appear to you and tell me whether it works or not.

It eve-ng issue

I run lab and same the NSK must drop this mac which learn in vlan 10 but still the PC can ping to other 
MHM

Screenshot (566).pngScreenshot (567).png

I truly appreciate your effort. Thank you for your time and clarification.

You are so welcome 

Have a nice day 

MHM

some of the simulator and emulator can not work as expected - never tried in virtual so check the support and test it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello


@Eng-Ruthless wrote:
But I do not want to use MAC ACL, I want to use the command that was mentioned.

I applied the command on Core so that if it receives the mac address from acc1 it drops it but it can still communicate with the other side whether in the same vlan or different vlan.


Edited - Dont apply it to the core UNLESS you have L2 hosts directly attaching to the core otherwise just apply it on all L2 switches and vlans.

example:
mac address-table static a063.9166.f368 vlan 1 drop

mac address-table static a063.9166.f368 vlan 2 drop
mac address-table static a063.9166.f368 vlan x drop  ....
etc....


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you, my brother, for this solution. I will try it in the lab eve-ng and test it to see if it works or not.

 

However, the solution is not practical in the work environment I'm working in due to the large number of switches and the difficulty of tracing. So, does it not work on the Core? Knowing that the Core works as Layer2?

 

Apart from that, why am I putting all the VLANs as drop when I know that the PC is assigned to VLAN 2 for example, why mention them all as it will cause a lot of commands.

 

I am able to apply them in another way, but the work requirements want it in this form. Thank you.

Hello


@Eng-Ruthless wrote:

I am able to apply them in another way, but the work requirements want it in this form. Thank you.


Yes one option would be to use  vlan and routed acls to negate communication between hosts in the same vlan or between the vlans

By the issue you have at the moment may be down to the eve-ng software, But im curious when you tested this, do you actually see that specific host mac in the address table of the switch in the first place, As if you didnt it WONT get dropped even with that command being applied.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

I think it is due to the eve-ng software. Because when I used the command and cleared the mac table, I noticed that the core switch did not see the mac address because of the command I used, and when inquiring about its status, it is shown as drop, but the device is still able to access the network. It caused me a headache yesterday, I tried for about 7 hours to apply all scenarios and did not see the effectiveness of the command, but today I will apply what you mentioned to me, but in reality at work I will not use it

Review Cisco Networking for a $25 gift card