mac acl in 3560 switch

netkrish80 · ‎01-20-2006

Hi,

I have created a mac acl as descibed in the following link.

http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00804cc117.html#wp1075613

But some times it works. But most of the time it is not working.

How to solve this?

Krishna.

Georg Pauwen · ‎01-21-2006

Hello Krishna,

keep in mind that MAC access lists work for non-IP traffic only. What are you trying to accomplish ? If you need to block specific MAC addresses from entering a switchport, you might want to consider port security, as in the example below, where you would only allow a single specified MAC address to enter a port:

interface FastEthernet0/1

switchport port-security

switchport port-security maximum 1

switchport port-security mac-address 1234.1234.1234

As an alternative, if you want to block a certain MAC address from your entire switch, you could add a static entry for that MAC address and direct it to an unused port (GigabitEthernet0/2 in the example), as described below, effectively blackholing traffic for that MAC address:

mac-address-table static 0020.1223.e3f4 interface GigabitEthernet0/2

Since static entries take precedence over dynamic entries, all traffic for that MAC address wil effectively be dropped.

HTH,

GP

netkrish80 · ‎01-22-2006

Hi George,

We are using ip traffic only.

scenario

server A fa0/1 mac address x.x.x.x

server B fa0/2 mac address y.y.y.y

both are in the same vlan.

server b should only talk to server A. Any other traffic to server B from same vlan should be blocked.

can you please help me.

KRishna.

Georg Pauwen · ‎01-22-2006

Hello Krishna,

port security should still work in your situation. Basically, what you do is to allow only the MAC addresses from server A and B to access the switchport where server B is connected to. Traffic from all other MAC addresses will be blocked. Since your server B is connected to interface FastEthernet0/2, the configuration of that interface should look like this:

interface FastEthernet0/2

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address 1234.1234.1234

switchport port-security mac-address acab.1234.09k8

The MAC addresses specified are those of server A and B.

Does that make sense ? Let me know if you run into trouble...

Regards,

GP

netkrish80 · ‎01-30-2006

Hi George,

I applied the configuration as specified in your earlier update.

Nobody is able to reach server A when we applied the configuration on server B's port.

Please let me know the other options.

Krishna.

pkhatri · ‎01-30-2006

Hi Krishna,

Would it be possible for you to post the config you have on Fast0/1 and Fast0/2 (together with the port security commands) ?

Thanks,

Paresh

netkrish80 · ‎02-05-2006

Hi ,

Please find below the configuration.

interface FastEthernet0/2

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address 1234.1234.1234 -- mac address of A

switchport port-security mac-address acab.1234.09k8 - mac address of B

Int fa0/1

switchport mode access

also i tried VACL as specified in the below mentioned url

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Still it is not working.

please help

Krishna