We have joined our L2 network with another one via a Cisco Catalyst 4500X switch, which has two egress ports in a port channel. We use MSFT NLB technology, which is sent to every device which participates in the same VLAN. We want to deny this traffic from being sent to the other network.
I have made the following configuration changes:
mac access-list extended msft-nlb deny any 02bf.0000.0000 0000.ffff.ffff permit any any interface Port-channel116 mac access-group msft-nlb out
When I do capture on the connected network, I still see traffic being sent to a MAC address which should have been denied by the filter.
Is MAC filtering supposed to have prevented this packet from leaving the network? Have I made a mistake in my configuration or have I misunderstood what MAC Filtering does?
Solved! Go to Solution.
MAC ACLs are generally effective for non-IPv4 traffic only. While this is somewhat platform dependent it is also true for your box.
To cope with the MS NLB in the multicast mode you typically configure static arp and static mac address as per the document beneath:
You have led me to a resolution. I have placed the following command on the switch:
mac address-table static 02bf.0a6e.b097 vlan 41 drop
And now the traffic is not being forwarded to the new network. Result!