Configuring Unicast Mac Address Filtering - Cisco Catalyst 4500 Series Configuration Manual
Release ios xe 3.3.0sg and ios 15.1(1)sg
Hide thumbs
Also See for Catalyst 4500 Series:
- Software configuration manual (2086 pages) ,
- Administration manual (1814 pages) ,
- Configuration manual (1254 pages)
Table of Contents
Advertisement
Chapter 51
Configuring Network Security with ACLs
•
Configuring Unicast MAC Address Filtering
To block all unicast traffic to or from a MAC address in a specified VLAN, perform this task:
Command
Switch(config)# mac-address-table static mac_address
vlan vlan_ID drop
This example shows how to block all unicast traffic to or from MAC address 0050.3e8d.6400 in VLAN
12:
Switch# configure terminal
Switch(config)# mac-address-table static 0050.3e8d.6400 vlan 12 drop
OL-25340-01
In the following code, the Layer 4 operations for the third ACE trigger an attempt to translate
dst lt 1023 into multiple ACEs in hardware, because three source and three destination
operations exist. If the translation attempt fails, the third ACE is processed in software.
access-list 102 permit tcp any lt 80 any gt 100
access-list 102 permit tcp any range 100 120 any range 120 1024
access-list 102 permit tcp any gt 1024 any lt 1023
Similarly, for access list 103, the third ACE triggers an attempt to translate dst gt 1023 into
multiple ACEs in hardware. If the attempt fails, the third ACE is processed in software.
Although the operations for source and destination ports look similar, they are considered
different Layer 4 operations.
access-list 103 permit tcp any lt 80 any lt 80
access-list 103 permit tcp any range 100 120 any range 100 120
access-list 103 permit tcp any gt 1024 any gt 1023
Remember that source port lt 80 and destination port lt 80 are considered different
Note
operations.
Some packets must be sent to the CPU for accounting purposes, but the action is still performed by
the hardware. For example, if a packet must be logged, a copy is sent to the CPU for logging, but
the forwarding (or dropping) is performed in the hardware. Although logging slows the CPU, it does
not affect the forwarding rate. This sequence of events would happen under the following
conditions:
When a log keyword is used
–
When an output ACL denies a packet
–
When an input ACL denies a packet, and on the interface where the ACL is applied,
–
ip unreachable is enabled (ip unreachable is enabled by default on all the interfaces)
Purpose
Blocks all traffic to or from the configured unicast MAC
address in the specified VLAN.
To clear MAC address-based blocking, use the no form of this
command without the drop keyword.
Software Configuration Guide—Release IOS XE 3.3.0SG and IOS 15.1(1)SG
Configuring Unicast MAC Address Filtering
51-13
- Quick Links:
- Resetting a Switch to Factory Default...
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
