- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2013 01:06 AM - edited 03-07-2019 04:38 PM
hi all,
i'm doing a policy on a 2911 rouer to filter MAC address and apply it on the LAN port.
i didn't see the "permit" keyword and did a "no drop" instead on the policy-map.
appreciate if anyone could advise if this is correct and will accomplish my objective. TIA!
2911(config-pmap)#class MAC_FILTER_CLASS
2911(config-cmap)#match source-address mac ?
H.H.H MAC address
2911(config-cmap)#match source-address mac aaaa.bbbb.cccc
2911(config-cmap)#exi
2911(config)#policy-map MAC_FILTER_POLICY
2911(config-pmap)#class ?
WORD class-map name
class-default System default class matching otherwise unclassified packets
2911(config-pmap)#class MAC_FILTER_CLASS
2911(config-pmap-c)#?
Policy-map class configuration commands:
bandwidth Bandwidth
compression Activate Compression
drop Drop all packets
exit Exit from class action configuration mode
fair-queue Enable Flow-based Fair Queuing in this Class
log Log IPv4 and ARP packets
netflow-sampler NetFlow action
no Negate or set default values of a command
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping
<cr>
2911(config-pmap-c)#permit
^
% Invalid input detected at '^' marker.
2911(config-pmap-c)#no ?
bandwidth Bandwidth
compression Activate Compression
drop Drop all packets
exit Exit from class action configuration mode
fair-queue Enable Flow-based Fair Queuing in this Class
log Log IPv4 and ARP packets
netflow-sampler NetFlow action
police Police
priority Strict Scheduling Priority for this Class
queue-limit Queue Max Threshold for Tail Drop
random-detect Enable Random Early Detection as drop policy
service-policy Configure QoS Service Policy
set Set QoS values
shape Traffic Shaping
<cr>
2911(config-pmap-c)#no drop
2911(config-pmap-c)#do sh policy-map
Policy Map MAC_FILTER_POLICY
Class MAC_FILTER_CLASS
<<< "no drop" NOT FOUND OR IS IT THE DEFAULT?
2911(config)#int GigabitEthernet0/0
2911(config-subif)#service-policy input MAC_FILTER_POLICY
Solved! Go to Solution.
- Labels:
-
Other Switching
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2013 01:50 AM
Yes, you are right with your asumption, "no drop" is a dfault in MQC. But what exactly do you want to achieve? Only allow one MAC-address and drop the rest?
Then you would configure your first class (the one where you match the MAC-address) in the policy-map with no action and add another class with "match any" and configure that with the action drop.
And remember that the class you configured at the beginning is a "match all" class. If you want to match on more then one address, you have to configure a "match any" class.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2013 01:50 AM
Yes, you are right with your asumption, "no drop" is a dfault in MQC. But what exactly do you want to achieve? Only allow one MAC-address and drop the rest?
Then you would configure your first class (the one where you match the MAC-address) in the policy-map with no action and add another class with "match any" and configure that with the action drop.
And remember that the class you configured at the beginning is a "match all" class. If you want to match on more then one address, you have to configure a "match any" class.
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2013 02:43 AM
Karsten,
Thanks for confirming! The one I posted is just a sample. I've actually got a long list of MAC to for this task.
Are you referring to adding the 'class default' to be added on the second class to be dropped?
Could you give a sample template to test it out? I miss joining the Firewall/VPN group discussion. Been away and really busy lately :)
Sent from Cisco Technical Support iPhone App
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
11-18-2013 03:27 AM
Are you referring to adding the 'class default' to be added on the second class to be dropped?
If you run a very new IOS it's worth to test it with the class-default. At least on 15.0 the class-default doesn't support the drop-action.
Could you give a sample template to test it out? I miss joining the Firewall/VPN group discussion. Been away and really busy lately
untested, but I think the following policy-map should work:
class-map match-all TEST-ANY
match any
class-map match-any TEST-MAC
match source-address mac AAAA.BBBB.CCCC
match source-address mac BBBB.CCCC.DDDD
match source-address mac CCCC.DDDD.EEEE
!
policy-map TEST
class TEST-MAC
class TEST-ANY
drop
Just to confirm: Are the systems that you want to allow L2-adjacent to the router so that the router really sees the MAC-address of the PCs? If there is a L3-switch between, then it won't work. And always remember that this only implements a very weak security that can be easily circumvented by a skilled user (depending on the other security-measures you have in place).
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-26-2020 01:53 AM
Hi guys,
sorry for bringing this old one up, I tested it on a C886VA router and the limit for MAC ACLs was 75.
Is there any documentation around if this limit is for all router classes?
Thanks,
Michael
