Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Banning certain MAC addresses

I need to block all traffic to/from certain MAC addresses from within a certain VLAN on a 6500 running CatOS. Is there a way to do do per-VLAN MAC-based access-lists?

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Re: Banning certain MAC addresses

Use the "set cam filter" command. See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/7_4/config/sec_port.htm

for details.

Does this help? Please rate it if it does.

6 REPLIES
Hall of Fame Super Silver

Re: Banning certain MAC addresses

Use the "set cam filter" command. See http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/7_4/config/sec_port.htm

for details.

Does this help? Please rate it if it does.

New Member

Re: Banning certain MAC addresses

What is the cmd in IOS? Thanks

Hall of Fame Super Silver

Re: Banning certain MAC addresses

The IOS command functional equivalent is "mac access-list extended" Here is a snippet from the IOS command reference that covers the highlights:

Once you enter the mac access-list extended name command, use the following subset to create or

delete entries in a MAC-access list:

[no] {permit | deny} {{src-mac mask | any} {dest-mac mask} | any} [protocol [vlan vlan]

[cos value]]}

Reference "Catalyst 6500 Series Cisco IOS Command Reference, 12.2SX" (http://www.cisco.com/en/US/partner/products/hw/switches/ps708/products_command_reference_book09186a0080160cd0.html) page 2-357.

New Member

Re: Banning certain MAC addresses

yes, perfect!! Thank you!!!!

New Member

Re: Banning certain MAC addresses

I was looking for something simular: how to block access from unknown mac addresses on a switch. Problem is that the clients are laptops that can move between ports on the switch. The above 'mac acl' seems to be for non-ip traffic only.

'Switchport port-security' seems to limit a mac address to a certain port, so moving to another port will result in a violation.

Any thoughts on a solution?

VIP Purple

Re: Banning certain MAC addresses

Hello,

not sure about unknown MAC addresses, but if you have an unused port on your switch, you could blackhole traffic for a specific MAC address:

mac-address-table static 0020.1223.e3f4 interface GigabitEthernet0/2

Since static entries take precedence over dynamic entries, all traffic for that MAC address will effectively be dropped.

Regards,

GP

224
Views
0
Helpful
6
Replies