Thanks for the response Alain, but I'm not sure how this would help, perhaps I should explain this better:

Subnet 10.0.0.0/24

Device needing protection: 10.0.0.1

Devices which should be able to access it: 10.0.0.2-10 (various MAC addresses)

Devices which should not be able to access it: 10.0.0.11-10.0.0.254 (various MAC addresses)

That said, all devices need to generally be able ot see each other 10.0.0.2-10.0.0.254, this is why I thought if I couled allow only the 10.0.0.2-10.0.0.10 device MAC addresses to access the 10.0.0.1 MAC, it's would be a perfect solution.

All devices are on VLAN 1.

Sean

Hi,

there are no way of filering with MAC address in an ACL for IP traffic.

The only way to block a MAC address is to to do a static MAC entry either pointing to a non active port or to add the keyword drop( meaning sending it the bit bucket).

So if you configure a manual binding on your dhcp server then each device will always have the same IP tied to the MAC and then you can play with ACLs on the SVI (IP ACLs).

If I've got another idea I'll let you know but as of now I don't see any other way with only your 2960.

Regards.

Alain

Alain,

This is indeed what I've found, I'm happy to block it based on IP but my understanding was that IP based ACLs only worked on routed networks, i.e. you could set one for 10.1.0.0/24 denied to 10.2.0.0/24. but not 10.0.0.1 denied to 10.0.0.2.

If it can be down, how would I set this up?

Sean

Alain,

I had tried this approach but get the following error when I try to apply the ACL to the interface:

%ERROR: Port-based ACLs are not supported with this image

I have found that I can apply it to the VLAN however and this works. 

Does the 2960 support an image which would support this on a specific interface? Is it s software upgrade?

Sean

First of all

what type of 2960 is the switch ?

There are Lan base and Lan lite ?

The reason why I ask is that there are differences in what they can do.

Second

IF you try to secure your devices with an ip access-list

know that it does not block other protocols such as Netbui, ipx/spx appletalk or ipv6.

this means that even if you do get the ACL in place and the access-list is "ok" then the devices can still talk.

So if this is the method you go, then turn off all other protocols on the device.

Third

The devices that you want to talk between them, how do they get their ip addresses ? DHCP? or manual config ?

Good luck

Hi,

It's running LanLite.

TCP/IP is all we're worried about.

Thanks,

S

Hi

The Lan lite does not support "normal" ACL..

se below for the differences in Lan lite and Lan base

It does however seem to support MAC-based ACLs

atleast it will accept the commands..

I have not tested it though.

http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/prod_qas0900aecd80322c37.html

Q. What are the notable differences between the Cisco Catalyst 2960 LAN Base and LAN Lite switches?

A. Cisco Catalyst 2960 LAN Base switches have several advantages:

• Gigabit Ethernet connectivity in 8-, 24-, and 48-port configurations

• RPS support and support for a wide range of SFP transceivers

• Enhanced security through Layer 2-4 access control lists (ACLs), DHCP Snooping, and more extensive Network Admission Control capabilities such as Web authentication and 802.1x enhancements

• Additional QoS capabilities: The LAN Base IOS supports policing, class and policy maps, differentiated services code point (DSCP), AutoQoS, and configurable queue weights, buffers, and thresholds

• Higher network-level availability with features such as Flex Links and Link State Tracking

• Increased number of VLANs (256) and other enhancements such as IPv6 Host, MLD Snooping, LLDP-MED, RSPAN, MVR, DHCP Option 82, and IP SLA (responder)

Good luck

HTH

Thanks, I'll just have to apply the ACL to the VLAN opposed to an interface.

Sean