6500: Protocol-Independent MAC ACL Filtering

Answered Question

Is it supported in Security ACLs (PACLs and VACLs) in IOS 12.2(33)SXH ?


Is it possible to filter IPv4 traffic in hardware by MAC with ACLs on this platform?


The same question for ARP traffic.


Correct Answer by Ryan Carretta about 8 years 12 months ago

Hi,


This should work for you. You would need to enable PI MAC ACL filtering by using the command 'mac packet-classify' on the ingress interface (or vlan interface if L2). This was supported as of 12.2(18)SXD - here is a link to the config guide in the SXF train:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/qos.html#wp1726493


For arp you can just create an arp access-list:

Test6k(config)#arp access-list ARP_FILTER

Test6k(config-arp-nacl)#permit ?

ip Sender IP address

request ARP Request

response ARP Response


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Ryan Carretta Tue, 06/03/2008 - 00:59
User Badges:
  • Bronze, 100 points or more

Hi,


This should work for you. You would need to enable PI MAC ACL filtering by using the command 'mac packet-classify' on the ingress interface (or vlan interface if L2). This was supported as of 12.2(18)SXD - here is a link to the config guide in the SXF train:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/qos.html#wp1726493


For arp you can just create an arp access-list:

Test6k(config)#arp access-list ARP_FILTER

Test6k(config-arp-nacl)#permit ?

ip Sender IP address

request ARP Request

response ARP Response


Actions

This Discussion