Mac filtering between switches.

Unanswered Question
Apr 27th, 2007

We have a mac filter on a port of a Cisco 3560. That port connects to the uplink port of a 4-port unmanaged switch. It works great.

Today, a different 4-port switch was connected. I would expect that no traffic would pass since the mac address is wrong. Sure enough, the clients of the little 4-port switch could not communicate. So far, so good.

But I monitor the incoming communication on the filtered port on our 3560. And while the clients could not connect, I was still seeing a small amount of switch-to-switch communication occurring.

Shouldn't ALL communication be dropped when the mac filter is engaged? Why wasn't my graph a flat line? True, there wasn't much, but it wasn't zero. Why not?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
mark.j.hodge Fri, 04/27/2007 - 08:05

I would suspect that this is traffic from the switch BPDU, VTP, CDP etc.

professorguy Fri, 04/27/2007 - 08:29

Then this is a fault in Cisco's mac filter. What's the point of the filter if it still accepts packets from the far side? No banned device should get ANY information (even a single packet) from our network.

Or are the incoming packet counts (the basis of the graphs) incremented even if the packets are then dropped? That would explain the small traffic: they are ATTEMPTS to connect, but are dropped. No large traffic since the connections never complete so no application data roared across.

Of course, if that is indeed true, this would make my monitoring much more useful since I could see successful traffic (large spikes) as well as attempted but unsuccessful traffic (small spikes). As long as no info leaks to the outside to unknown devices, I guess it's good to see when attempts are made (so I can call the police).

mark.j.hodge Fri, 04/27/2007 - 08:45

Maybe I misunderstood you, by a mac filter I read that you were restricting inbound traffic on the port to specific mac addresses.

If this is the case, then the port has to recieve the packets, to check if they are from the appropriate address. If not they just don't get forwarded if the address doen't match.

Such a filter does not stop the switch from transmitting data, you would have to turn this off on the port, "no cdp enable" etc. commands.

professorguy Fri, 04/27/2007 - 09:09

I'll need the switches to communicate correctly when the mac address matches, so I can't turn off negotiation on the port.

And I understand that physically, packets must be received before they are dropped (and so increment traffic).

But are you saying my inside switch is SENDING packets out to a device which has the wrong mac address!?! Because if that's the case, mac filtering DOES NOT WORK CORRECTLY on the 3560.


This Discussion