Configuring Unicast Mac Address Filtering - Cisco Catalyst 4500 series Administration Manual
Hide thumbs
Also See for Catalyst 4500 series:
- Software configuration manual (2086 pages) ,
- Configuration manual (1610 pages) ,
- Command reference manual (1230 pages)
Table of Contents
Advertisement
Configuring Unicast MAC Address Filtering
Configuring Unicast MAC Address Filtering
To block all unicast traffic to or from a MAC address in a specified VLAN, perform this task:
Command
Switch(config)# mac-address-table static mac_address
vlan vlan_ID drop
This example shows how to block all unicast traffic to or from MAC address 0050.3e8d.6400 in VLAN
12:
Switch# configure terminal
Switch(config)# mac-address-table static 0050.3e8d.6400 vlan 12 drop
Configuring Named MAC Extended ACLs
You can filter non-IPv4, non-IPv6 traffic on a VLAN and on a physical Layer 2 port by using MAC
addresses and named MAC extended ACLs. The procedure is similar to that of configuring other
extended named ACLs. You can use a number to name the access list, but MAC access list numbers from
700 to 799 are not supported.
Named MAC extended ACLs cannot be applied to Layer 3 interfaces.
Note
For more information about the supported non-IP protocols in the mac access-list extended command,
refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference.
To create a named MAC extended ACL, perform this task:
Command
Step 1
Switch# configure terminal
Step 2
Switch(config)# [no] mac access-list
extended name
Step 3
Switch(config-ext-macl)# {deny | permit}
{any | host source MAC address | source
MAC address mask} {any | host destination
MAC address | destination MAC address
mask} [protocol-family {appletalk |
arp-non-ipv4 | decnet | ipx | ipv6 (not
supported on Sup 6-E and 6L-E)| rarp-ipv4
| rarp-non-ipv4 | vines | xns]
Step 4
Switch(config-ext-macl)# end
Software Configuration Guide—Release IOS XE 3.6.0E and IOS 15.2(2)E
54-14
Chapter 54
Purpose
Blocks all traffic to or from the configured unicast MAC
address in the specified VLAN.
To clear MAC address-based blocking, use the no form of this
command without the drop keyword.
Purpose
Enters global configuration mode.
Defines an extended MAC access list using a name.
To delete the entire ACL, use the no mac access-list extended
name global configuration command. You can also delete
individual ACEs from named MAC extended ACLs.
In extended MAC access-list configuration mode, specify to
permit or deny any source MAC address, a source MAC address
with a mask, or a specific host source MAC address and any
destination MAC address, destination MAC address with a mask,
or a specific destination MAC address.
Note
IPv6 packets do not generate Layer 2 ACL lookup keys.
Returns to privileged EXEC mode.
Configuring Network Security with ACLs
OL_28731-01
Advertisement
Chapters
Table of Contents
Troubleshooting
