Filtering on 2960 by MAC

Unanswered Question
Feb 17th, 2010
User Badges:

I would like verifacation that this should work.


I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.


Extended MAC access list VC
    permit host xxxx.xxxx.xxxx any


I would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming


Thank you for your help.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
joereid44 Wed, 02/17/2010 - 07:00
User Badges:

Or you could just set the port security to tie it to one MAC address.

dohogue Wed, 02/17/2010 - 07:21
User Badges:

That sounds like it may be the easiest. Any idea how that is configured or where to look for the configuration examples? somehting like that was my orginal thought but could find nothing on it.

Ganesh Hariharan Wed, 02/17/2010 - 11:28
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I would like verifacation that this should work.


I only want a certain host to be able to have network access via port Fast0/22 on my 2960 switch. The device is IP but I want to limit it via MAC address not IP address. Will these commands work to accomplish my goal? It is not clear, in the Cisco documentation, that a MAC ACL will work regarding IP traffic. Here is what I am doing.


Extended MAC access list VC
    permit host xxxx.xxxx.xxxx any


I would then apply this to the interface Fast0/22 in, since MAC ACL is only supported for incoming


Thank you for your help.


Hi,


MAC ACL, also known as Ethernet ACL, can filter non-IP traffic on a VLAN and on a physical Layer 2 interface by using MAC addresses in a named MAC extended ACL.


Check out the belwo example hope that help


Switch(config)# mac access-list extended my-mac-acl
Switch(config-ext-macl)# deny any any aarp
Switch(config-ext-macl)# permit any any
Switch(config-ext-macl)# exit
Switch(config)# interface Fastethernet0/10
Switch(config-if)# mac access-group my-mac-acl in
Switch(config-if)# end
Switch#


If helpful do rate the post


Ganesh.H

c.walsh Wed, 03/24/2010 - 06:10
User Badges:

Mac address filtering does not work if the traffic is IP based.

It only works for non-IP based traffic.


If this helps, please rate my post!


Colin

paolo bevilacqua Wed, 03/24/2010 - 06:33
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

On a layer 2 switch, MAC ACL will work regardless of the packet type.

c.walsh Wed, 03/24/2010 - 06:38
User Badges:

We tried this yesterday on a 2960, 3560 & a 3750 & it does not work.

The answer was provided by Cisco TAC, that the mac acl's only work for NON IP traffic.


This surprised us also.


Colin

paolo bevilacqua Wed, 03/24/2010 - 07:00
User Badges:
  • Super Gold, 25000 points or more
  • Hall of Fame,

    Founding Member

Right. Thank you for correcting me.

c.walsh Wed, 03/24/2010 - 07:13
User Badges:

Technically you are correct, because the 3560 & 3750 switches were L3 devices.


However the 2960 S series switch did not work & the TAC engineer pointed out in the config guide it mentions that L2 mac address ACL's only work with NON IP traffic.


Cheers

Colin

Alexander Demin Wed, 06/30/2010 - 01:05
User Badges:

Anyway, is there some mechanism (I mean, on 3550/3560/3750 switches and 2960 also) to block _all_  incoming traffic from client on L2 port of a switch, based on client host source-mac address ? The goal is: clients source mac address should _not_ come from a specified interface into mac-address-table.


I specially mention that filtering should occur on a port, not in the whole vlan (I know about vlan-maps and mac-address-table static H.H.H vlan XXX drop).


Thanks!


Regards, Alex

Actions

This Discussion

Related Content