mac-access-list

Jayesh Prajapati · ‎02-28-2009

hii,

we are using 3845 router in our WAN network.and each router (LAN) interface we are creat 3 to 4 subinterface. i want to block one of the Mac-address in the router,how it could be done ? through Mac-access-list i am creat Mac access ist but in LAN interface there is no command to allow mac access list??..how it's possible??

paolo bevilacqua · ‎02-28-2009

Please explain what problem are you trying to solve, mac ACL are for bridging only.

Jayesh Prajapati · ‎02-28-2009

hii ,

just i want to deny Mac id in my router (3845) how it's possible???

Bobby Thekkekandam · ‎02-28-2009

In order to do this you will have to enable bridging on the interface to apply the access-list on. See the example below:

Example:

access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware

DESTINATION address>

access-list 700 deny

access-list 700 permit 0.0.0 0.0.0 <--- Permit all

!

interface Ethernet0

ip access-group 700 in <--- applied inbound

Here is a sample config of what you need in the router in order to filter a mac address.

NOTE: In order to use MAC access-lists in a router you need to configure bridging. In this

case is IRB.

config t

bridge irb

bridge 1 protocol ieee

bridge 1 route ip

int e0 (or the interface you need)

no ip address

bridge-group 1

bridge-group 1 {input-address-list 700 | output-address-list 700} exit

int bvi1

ip address

exit

access-list 700 deny 0000.0000.0000

access-list 700 permit 0000.0000.0000 ffff.ffff.ffff

Depending on what else you're doing on the interface, this may or may not be a valid solution.