Solved: MAC Filtering on Router via MQC

johnlloyd_13 · ‎11-18-2013

hi all,

i'm doing a policy on a 2911 rouer to filter MAC address and apply it on the LAN port.

i didn't see the "permit" keyword and did a "no drop" instead on the policy-map.

appreciate if anyone could advise if this is correct and will accomplish my objective. TIA!

2911(config-pmap)#class MAC_FILTER_CLASS

2911(config-cmap)#match source-address mac ?

H.H.H MAC address

2911(config-cmap)#match source-address mac aaaa.bbbb.cccc

2911(config-cmap)#exi

2911(config)#policy-map MAC_FILTER_POLICY

2911(config-pmap)#class ?

WORD class-map name

class-default System default class matching otherwise unclassified packets

2911(config-pmap)#class MAC_FILTER_CLASS

2911(config-pmap-c)#?

Policy-map class configuration commands:

bandwidth Bandwidth

compression Activate Compression

drop Drop all packets

exit Exit from class action configuration mode

fair-queue Enable Flow-based Fair Queuing in this Class

log Log IPv4 and ARP packets

netflow-sampler NetFlow action

no Negate or set default values of a command

police Police

priority Strict Scheduling Priority for this Class

queue-limit Queue Max Threshold for Tail Drop

random-detect Enable Random Early Detection as drop policy

service-policy Configure QoS Service Policy

set Set QoS values

shape Traffic Shaping

<cr>

2911(config-pmap-c)#permit

^

% Invalid input detected at '^' marker.

2911(config-pmap-c)#no ?

bandwidth Bandwidth

compression Activate Compression

drop Drop all packets

exit Exit from class action configuration mode

fair-queue Enable Flow-based Fair Queuing in this Class

log Log IPv4 and ARP packets

netflow-sampler NetFlow action

police Police

priority Strict Scheduling Priority for this Class

queue-limit Queue Max Threshold for Tail Drop

random-detect Enable Random Early Detection as drop policy

service-policy Configure QoS Service Policy

set Set QoS values

shape Traffic Shaping

<cr>

2911(config-pmap-c)#no drop

2911(config-pmap-c)#do sh policy-map

Policy Map MAC_FILTER_POLICY

Class MAC_FILTER_CLASS

<<< "no drop" NOT FOUND OR IS IT THE DEFAULT?

2911(config)#int GigabitEthernet0/0

2911(config-subif)#service-policy input MAC_FILTER_POLICY

Karsten Iwen · ‎11-18-2013

Yes, you are right with your asumption, "no drop" is a dfault in MQC. But what exactly do you want to achieve? Only allow one MAC-address and drop the rest?

Then you would configure your first class (the one where you match the MAC-address) in the policy-map with no action and add another class with "match any" and configure that with the action drop.

And remember that the class you configured at the beginning is a "match all" class. If you want to match on more then one address, you have to configure a "match any" class.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎11-18-2013

Yes, you are right with your asumption, "no drop" is a dfault in MQC. But what exactly do you want to achieve? Only allow one MAC-address and drop the rest?

Then you would configure your first class (the one where you match the MAC-address) in the policy-map with no action and add another class with "match any" and configure that with the action drop.

And remember that the class you configured at the beginning is a "match all" class. If you want to match on more then one address, you have to configure a "match any" class.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

johnlloyd_13 · ‎11-18-2013

Karsten,

Thanks for confirming! The one I posted is just a sample. I've actually got a long list of MAC to for this task.

Are you referring to adding the 'class default' to be added on the second class to be dropped?

Could you give a sample template to test it out? I miss joining the Firewall/VPN group discussion. Been away and really busy lately :)

Sent from Cisco Technical Support iPhone App

Karsten Iwen · ‎11-18-2013

Are you referring to adding the 'class default' to be added on the second class to be dropped?

If you run a very new IOS it's worth to test it with the class-default. At least on 15.0 the class-default doesn't support the drop-action.

Could you give a sample template to test it out? I miss joining the Firewall/VPN group discussion. Been away and really busy lately

untested, but I think the following policy-map should work:

class-map match-all TEST-ANY

match any

class-map match-any TEST-MAC

match source-address mac AAAA.BBBB.CCCC

match source-address mac BBBB.CCCC.DDDD

match source-address mac CCCC.DDDD.EEEE

!

policy-map TEST

class TEST-MAC

class TEST-ANY

drop

Just to confirm: Are the systems that you want to allow L2-adjacent to the router so that the router really sees the MAC-address of the PCs? If there is a L3-switch between, then it won't work. And always remember that this only implements a very weak security that can be easily circumvented by a skilled user (depending on the other security-measures you have in place).

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Michael Muenz · ‎10-26-2020

Hi guys,

sorry for bringing this old one up, I tested it on a C886VA router and the limit for MAC ACLs was 75.

Is there any documentation around if this limit is for all router classes?

Thanks,

Michael

Michael Please rate all helpful posts