Filtering on 2960 by MAC

Unanswered Question
Feb 17th, 2010

I would like verifacation that this should work.

I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.

Extended MAC access list VC
    permit host xxxx.xxxx.xxxx any

I would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming

Thank you for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
joereid44 Wed, 02/17/2010 - 07:00

Or you could just set the port security to tie it to one MAC address.

dohogue Wed, 02/17/2010 - 07:21

That sounds like it may be the easiest. Any idea how that is configured or where to look for the configuration examples? somehting like that was my orginal thought but could find nothing on it.

Ganesh Hariharan Wed, 02/17/2010 - 11:28

I would like verifacation that this should work.

I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.

Extended MAC access list VC
    permit host xxxx.xxxx.xxxx any

I would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming

Thank you for your help.

Hi,

MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses in a named MAC extended ACL.

Check out the belwo example hope that help

Switch(config)# mac access-list extended my-mac-acl
Switch(config-ext-macl)# deny any any aarp
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# exit
Switch(config)# interface Fastethernet0/10
Switch(config-if)# mac access-group my-mac-acl in
Switch(config-if)# end
Switch#

If helpful do rate the post

Ganesh.H

c.walsh Wed, 03/24/2010 - 06:10

Mac address filtering does not work if the traffic is IP based.

It only works for non-IP based traffic.

If this helps, please rate my post!

Colin

c.walsh Wed, 03/24/2010 - 06:38

We tried this yesterday on a 2960, 3560 & a 3750 & it does not work.

The answer was provided by Cisco TAC, that the mac acl's only work for NON IP traffic.

This surprised us also.

Colin

c.walsh Wed, 03/24/2010 - 07:13

Technically you are correct, because the 3560 & 3750 switches were L3 devices.

However the 2960 S series switch did not work & the TAC engineer pointed out in the config guide it mentions that L2 mac address ACL's only work with NON IP traffic.

Cheers

Colin

Alexander Demin Wed, 06/30/2010 - 01:05

Anyway, is there some mechanism (I mean, on 3550/3560/3750 switches and 2960 also) to block _all_  incoming traffic from client on L2 port of a switch, based on client host source-mac address ? The goal is: clients source mac address should _not_ come from a specified interface into mac-address-table.

I specially mention that filtering should occur on a port, not in the whole vlan (I know about vlan-maps and mac-address-table static H.H.H vlan XXX drop).

Thanks!

Regards, Alex

Actions

This Discussion

Related Content