01-20-2006 11:51 PM - edited 03-03-2019 01:31 AM
Hi,
I have created a mac acl as descibed in the following link.
But some times it works. But most of the time it is not working.
How to solve this?
Krishna.
01-21-2006 12:36 AM
Hello Krishna,
keep in mind that MAC access lists work for non-IP traffic only. What are you trying to accomplish ? If you need to block specific MAC addresses from entering a switchport, you might want to consider port security, as in the example below, where you would only allow a single specified MAC address to enter a port:
interface FastEthernet0/1
switchport port-security
switchport port-security maximum 1
switchport port-security mac-address 1234.1234.1234
As an alternative, if you want to block a certain MAC address from your entire switch, you could add a static entry for that MAC address and direct it to an unused port (GigabitEthernet0/2 in the example), as described below, effectively blackholing traffic for that MAC address:
mac-address-table static 0020.1223.e3f4 interface GigabitEthernet0/2
Since static entries take precedence over dynamic entries, all traffic for that MAC address wil effectively be dropped.
HTH,
GP
01-22-2006 07:44 AM
Hi George,
We are using ip traffic only.
scenario
server A fa0/1 mac address x.x.x.x
server B fa0/2 mac address y.y.y.y
both are in the same vlan.
server b should only talk to server A. Any other traffic to server B from same vlan should be blocked.
can you please help me.
KRishna.
01-22-2006 11:37 AM
Hello Krishna,
port security should still work in your situation. Basically, what you do is to allow only the MAC addresses from server A and B to access the switchport where server B is connected to. Traffic from all other MAC addresses will be blocked. Since your server B is connected to interface FastEthernet0/2, the configuration of that interface should look like this:
interface FastEthernet0/2
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address 1234.1234.1234
switchport port-security mac-address acab.1234.09k8
The MAC addresses specified are those of server A and B.
Does that make sense ? Let me know if you run into trouble...
Regards,
GP
01-30-2006 01:01 AM
Hi George,
I applied the configuration as specified in your earlier update.
Nobody is able to reach server A when we applied the configuration on server B's port.
Please let me know the other options.
Krishna.
01-30-2006 02:22 PM
Hi Krishna,
Would it be possible for you to post the config you have on Fast0/1 and Fast0/2 (together with the port security commands) ?
Thanks,
Paresh
02-05-2006 04:16 AM
Hi ,
Please find below the configuration.
interface FastEthernet0/2
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address 1234.1234.1234 -- mac address of A
switchport port-security mac-address acab.1234.09k8 - mac address of B
Int fa0/1
switchport mode access
also i tried VACL as specified in the below mentioned url
Still it is not working.
please help
Krishna
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide