Configuring Unicast Mac Address Filtering; Configuring Named Mac Extended Acls - Cisco 4500M Software Manual
Software guide
Hide thumbs
Also See for 4500M:
- Command reference manual (578 pages) ,
- Hardware installation and maintenance manual (143 pages) ,
- Upgrade manual (24 pages)
Table of Contents
Advertisement
Chapter 35
Configuring Network Security with ACLs
Configuring Unicast MAC Address Filtering
To block all unicast traffic to or from a MAC address in a specified VLAN, perform this task:
Command
Switch(config)# mac-address-table static mac_address
vlan vlan_ID drop
This example shows how to block all unicast traffic to or from MAC address 0050.3e8d.6400 in VLAN
12:
Router# configure terminal
Router(config)# mac-address-table static 0050.3e8d.6400 vlan 12 drop
Configuring Named MAC Extended ACLs
You can filter non-IP traffic on a VLAN and on a physical Layer 2 port by using MAC addresses and
named MAC extended ACLs. The procedure is similar to that of configuring other extended named
ACLs. You can use a number to name the access list, but MAC access list numbers from 700 to 799 are
not supported.
Named MAC extended ACLs cannot be applied to Layer 3 interfaces.
Note
For more information about the supported non-IP protocols in the mac access-list extended command,
refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference.
To create a named MAC extended ACL, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# mac access-list extended
name
Step 3
Switch(config-ext-macl)# {deny | permit}
{any | host source MAC address | source
MAC address mask } {any | host destination
MAC address | destination MAC address
mask } [ protocol-family {appletalk |
arp-non-ipv4 | decnet | ipx | ipv6 |
rarp-ipv4 | rarp-non-ipv4 | vines | xns}]
Step 4
Switch(config-ext-macl)# end
Step 5
Switch# show access-lists [ number | name ]
Step 6
Switch(config)# copy running-config
startup-config
OL-6696-01
Purpose
Blocks all traffic to or from the configured unicast MAC
address in the specified VLAN.
To clear MAC address-based blocking, use the no form of this
command without the drop keyword.
Purpose
Enters global configuration mode.
Defines an extended MAC access list using a name.
In extended MAC access-list configuration mode, specify to
permit or deny any source MAC address, a source MAC address
with a mask, or a specific host source MAC address and any
destination MAC address, destination MAC address with a mask,
or a specific destination MAC address.
(Optional)
[ protocol-family {appletalk | arp-non-ipv4 | decnet | ipx |
•
ipv6 | rarp-ipv4 | rarp-non-ipv4 | vines | xns }]
Returns to privileged EXEC mode.
Shows the access list configuration.
(Optional) Saves your entries in the configuration file.
Software Configuration Guide—Release 12.2(25)EW
Configuring Unicast MAC Address Filtering
35-11
Advertisement
Table of Contents
