Switch series

vishamr2000vishamr2000 Posts: 8Member ■□□□□□□□□□
Hi to all,

Can anyone tell what are switch series that support MAC ACLs that can be applied on the switch ports themselves and not the router interfaces? I used the Catalyst 2950 series but the MAC ACLs have to be applied on the router interface.

Thx in advance..

Warm regards,
Visham

Comments

  • lordylordy Posts: 632Member
    Have you looked at port-security ?

    If you want to disallow unknown mac-adresses or limit the number of hosts connected to one port this is the way to go.

    HTH,
    Lordy
    Working on CCNP: [X] SWITCH --- [ ] ROUTE --- [ ] TSHOOT
    Goal for 2014: RHCA
    Goal for 2015: CCDP
  • vishamr2000vishamr2000 Posts: 8Member ■□□□□□□□□□
    Hi,

    I need to allow only packets that have certain destination mac addresses and that are of a particular protocol (ex: TCP). I can't do that with port security. MAC ACLs allow for that but on the Catalyst 2950 series, the ACLs have to be applied to a router interface. I want to apply them on a per-interface basis. What switch do I use?

    Warm regards,
    Visham
  • keenonkeenon Posts: 1,921Member ■■■■□□□□□□
    you may need to look at 3550 series
    Become the stainless steel sharp knife in a drawer full of rusty spoons
  • vishamr2000vishamr2000 Posts: 8Member ■□□□□□□□□□
    Thx for the reply..

    I'll check it out and come if I have questions..

    Thx again..

    Warm regards,
    Visham
  • darkuserdarkuser Posts: 621Member
    you won't need a special switch to filter based on mac id.
    I'ts a feature of entended access-lists (the 700-799 range)
    you could do that at the router.
    if your trying to do that at the layer 2 switch it would have to be some type of cam table filter.
    you may be able to do this on the 3550 with a vlan acl.


    http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swacl.htm#xtocid8

    ACL Number Type Supported
    1-99
    IP standard access list
    Yes

    100-199
    IP extended access list
    Yes

    200-299
    Protocol type-code access list
    No

    300-399
    DECnet access list
    No

    400-499
    XNS standard access list
    No

    500-599
    XNS extended access list
    No

    600-699
    AppleTalk access list
    No

    700-799
    48-bit MAC address access list
    No

    800-899
    IPX standard access list
    No

    900-999
    IPX extended access list
    No

    1000-1099
    IPX SAP access list
    No

    1100-1199
    Extended 48-bit MAC address access list
    No

    1200-1299
    IPX summary address access list
    No

    1300-1999
    IP standard access list (expanded range)
    Yes

    2000-2699
    IP extended access list (expanded range)
    Yes
    rm -rf /
  • vishamr2000vishamr2000 Posts: 8Member ■□□□□□□□□□
    Hi to all,

    Many thx for the reply darkuser..

    I wish to get some help with the following:

    1) Is it true that I must create a VLAN in order to apply MAC ACLs to switch ports individually? Can I apply different MAC ACLs on different ports of a switch? If yes, what are the steps to do it if I want to apply the MAC ACL I wrote below?


    2) I have 3 PCs connected to the same switch with MAC addresses E1, E2, and E3. All IP traffic from E1 must pass through E3 before going to E2. Traffic from E2 to E1 goes through E3 as well. Arp traffic is kept normal. Below is the MAC ACL I wrote to apply to the ports to which E1 and E2 are attached in order to prevent direct communication between E1 and E2. Unfortunately I don't have the luxury of a 2970 or 3550 Catalyst switch to test it. Can someone tell me if this will work?

    Switch (config)# mac access-list extended mac1
    Switch (config-ext-mac1)# permit any any aarp
    Switch (config-ext-mac1)# permit any host E3 vines-ip
    Switch (config-ext-mac1)# end

    Any help will be very much appreciated.

    Warm regards,
    Visham
  • vishamr2000vishamr2000 Posts: 8Member ■□□□□□□□□□
    Hi to all,

    Can s.o please help me with this..i badly need to get this sorted out.

    Is there anywhere else where I can seek help.

    Warm regards,
    Visham
  • forbeslforbesl Posts: 454Member
    I hate to be the spoiled sport in this thread, but everything you need to do this (including sample configurations) can be found on the cisco web site.
  • vishamr2000vishamr2000 Posts: 8Member ■□□□□□□□□□
    Hi,

    I did check all that i could find on the Cisco website regarding this. But the documents contain confusing information. For example: According to Table 26-1 in the document http://www.cisco.com/en/US/products/hw/switches/ps5206/products_configuration_guide_chapter09186a00801ce035.html , Extended 48-bit MAC address access list are not supported on 2970. Then it gives you the configuration of how to create and apply MAC ACLs on individual switchports. This is what has been confusing me from the very beginning.

    Which is true?
  • forbeslforbesl Posts: 454Member
    This document states the 2970 does not support numbered ACLs in the 700-799 (48-bit MAC address access list) range. The configuration you are refering to in the document is for named ACLs. They are configured differently.
  • vishamr2000vishamr2000 Posts: 8Member ■□□□□□□□□□
    Ok..i thought they were meant the same thing..that you could either use numbered or named ACLs..

    Thx for the tip..I'll try to re-read all the pdfs i've dwlded regarding this.

    Warm regards,
    Visham
  • vishamr2000vishamr2000 Posts: 8Member ■□□□□□□□□□
    Hi to all,

    Can anyone tell me if we have IP ACLs (or any other type of ACLs) that allow for filtering by both MAC address and IP-traffic protocols (ex: TCP, UDP..)

    Regards,
    Visham
Sign In or Register to comment.