Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4551
Views
5
Helpful
4
Replies

MAC Filtering in Catalyst 3750 (with IP Base IOS)

fvalpondi
Level 1
Level 1

‎11-23-2009 03:04 AM - edited ‎03-06-2019 08:41 AM

Hi,

I got a Catalyst 3750 working with the IP features IOS.

I tried to configure some MAC filters in a couple interfaces and they seem not to work properly...

The scenario is the following. I got 4 busses (hubs) that are connected to a bridge. The bridge has to be changed because it is defective. It is a Hirschmann bridge with some strange proprietary filters that could be only implemented in it.

There is actually no replacement for this device, and I thought I could use a Catalyst for it. Since in each port of the bridge will be connected to a hub, some access lists have to be implemented.

This is the configuration example of one of the lists:

mac access-list extended filter1
deny host 0800.0601.1201 any
deny host 0800.0601.1202 any
deny host 0800.0601.1203 any
deny host 0800.0601.1204 any
deny host 0800.0601.1205 any
deny host 0800.0601.1206 any
deny host 0800.0601.1207 any
deny host 0800.0601.1208 any
deny host 0800.0601.1209 any
deny host 0800.0601.1210 any
deny host 0800.0601.1211 any
deny host 0800.0601.1212 any
deny host 0800.0601.1213 any
deny host 0800.0601.1214 any
deny host 0800.0601.1215 any
deny host 0800.0601.1216 any
deny host 0800.0601.1217 any
deny host 0800.0601.1218 any
deny host 0800.0601.1219 any
deny host 0800.0601.1220 any
permit any any
exit
!

!
interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
speed auto
mac access-group filter1 in
no shutdown
!

The problem is that sometimes it works, sometimes does not, sometimes after restart works and minutes later stop working....

I do not really know what the issue can be!

thanks for your help!

best regards,

Fabio

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Nagendra Kumar Nainar
Cisco Employee
Cisco Employee

‎11-23-2009 04:00 AM

Hi Fabio,

MAC ACL is only for non-IP traffic. To my knowledge, it is not suppose to work for IP traffic. But in some cases, ARP packets will be affected by MAC ACL and will appear to influence IP traffic.

You need to try IP ACL for IP traffic.

Regards,

Nagendra

fvalpondi
Level 1
Level 1
In response to Nagendra Kumar Nainar

‎11-23-2009 04:07 AM

Hi Nagendra,

thanks for your answer.

I know that MAC ACL is not suitable for IP traffic... Furthermore, I do not talk about IP filtering in my problem description.

I only said that the switch is runing the IP-Base IOS version.

best regards,

Fabio

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to fvalpondi

‎11-23-2009 03:15 PM

Hello Fabio,

port security can be the right tool for this job : you can specify  what MAC addresses are expected on each of the four ports with an action restrict.

this should be effective allowing traffic only coming from intended hosts.

Hope to help

Giuseppe

fvalpondi
Level 1
Level 1
In response to Giuseppe Larosa

‎11-23-2009 11:03 PM

Hi Giuseppe,

thanks for the idea. I already had thought about it. But, how many addresses can be maximum defined pro port? Or can address ranges be defined? For example 00:00:00:00:00:00 to 00:00:00:00:FF:FF. That's a lot of addresses to be configured individually...

On the other hand, these filters that are defined in the Hirschmann Bridge are not only INBOUND filters, but OUTBOUND filters also. Port security can't help in here, am I right?

thanks!

Fabio

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card