Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
556
Views
0
Helpful
6
Replies

Banning certain MAC addresses

Go to solution
bwindle
Level 1
Level 1

‎01-17-2006 07:47 AM - edited ‎03-03-2019 01:28 AM

I need to block all traffic to/from certain MAC addresses from within a certain VLAN on a 6500 running CatOS. Is there a way to do do per-VLAN MAC-based access-lists?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-17-2006 07:57 AM

Use the "set cam filter" command. See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/7_4/config/sec_port.htm

for details.

Does this help? Please rate it if it does.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-17-2006 07:57 AM

Use the "set cam filter" command. See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/7_4/config/sec_port.htm

for details.

Does this help? Please rate it if it does.

0 Helpful

Go to solution
mnewnam05
Level 1
Level 1
In response to Marvin Rhoads

‎01-17-2006 08:13 AM

What is the cmd in IOS? Thanks

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mnewnam05

‎01-17-2006 10:04 AM

The IOS command functional equivalent is "mac access-list extended" Here is a snippet from the IOS command reference that covers the highlights:

Once you enter the mac access-list extended name command, use the following subset to create or

delete entries in a MAC-access list:

[no] {permit | deny} {{src-mac mask | any} {dest-mac mask} | any} [protocol [vlan vlan]

[cos value]]}

Reference "Catalyst 6500 Series Cisco IOS Command Reference, 12.2SX" (http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_command_reference_book09186a0080160cd0.html) page 2-357.

0 Helpful

Go to solution
bwindle
Level 1
Level 1
In response to Marvin Rhoads

‎01-17-2006 08:16 AM

yes, perfect!! Thank you!!!!

0 Helpful

Go to solution
dfyen
Level 1
Level 1
In response to bwindle

‎01-20-2006 01:13 PM

I was looking for something simular: how to block access from unknown mac addresses on a switch. Problem is that the clients are laptops that can move between ports on the switch. The above 'mac acl' seems to be for non-ip traffic only.

'Switchport port-security' seems to limit a mac address to a certain port, so moving to another port will result in a violation.

Any thoughts on a solution?

0 Helpful

Go to solution
Georg Pauwen
VIP
VIP
In response to dfyen

‎01-20-2006 01:38 PM

Hello,

not sure about unknown MAC addresses, but if you have an unused port on your switch, you could blackhole traffic for a specific MAC address:

mac-address-table static 0020.1223.e3f4 interface GigabitEthernet0/2

Since static entries take precedence over dynamic entries, all traffic for that MAC address will effectively be dropped.

Regards,

GP

0 Helpful
Customers Also Viewed These Support Documents