Categories
Welcome Center
Education & Development
Discussions
Certification Preparation
Recent Posts
Groups
Free Resources
Ebooks
Free Workshops
Trending Certifications Infographic
Infosec Training
IT & Security Training
Live Boot Camps
Security Awareness Training
About Infosec Institute
Home
Certification Preparation
Cisco
CCNP (Professional)
Switch series
vishamr2000
Hi to all,
Can anyone tell what are switch series that support MAC ACLs that can be applied on the switch ports themselves and not the router interfaces? I used the Catalyst 2950 series but the MAC ACLs have to be applied on the router interface.
Thx in advance..
Warm regards,
Visham
Find more posts tagged with
Save $250 on 2025 certification boot camps from Infosec!
Book now with code EOY2025
Button
Comments
lordy
Have you looked at port-security ?
If you want to disallow unknown mac-adresses or limit the number of hosts connected to one port this is the way to go.
HTH,
Lordy
vishamr2000
Hi,
I need to allow only packets that have certain destination mac addresses and that are of a particular protocol (ex: TCP). I can't do that with port security. MAC ACLs allow for that but on the Catalyst 2950 series, the ACLs have to be applied to a router interface. I want to apply them on a per-interface basis. What switch do I use?
Warm regards,
Visham
keenon
you may need to look at 3550 series
vishamr2000
Thx for the reply..
I'll check it out and come if I have questions..
Thx again..
Warm regards,
Visham
darkuser
you won't need a special switch to filter based on mac id.
I'ts a feature of entended access-lists (the 700-799 range)
you could do that at the router.
if your trying to do that at the layer 2 switch it would have to be some type of cam table filter.
you may be able to do this on the 3550 with a vlan acl.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat2950/1219ea1/scg/swacl.htm#xtocid8
ACL Number Type Supported
1-99
IP standard access list
Yes
100-199
IP extended access list
Yes
200-299
Protocol type-code access list
No
300-399
DECnet access list
No
400-499
XNS standard access list
No
500-599
XNS extended access list
No
600-699
AppleTalk access list
No
700-799
48-bit MAC address access list
No
800-899
IPX standard access list
No
900-999
IPX extended access list
No
1000-1099
IPX SAP access list
No
1100-1199
Extended 48-bit MAC address access list
No
1200-1299
IPX summary address access list
No
1300-1999
IP standard access list (expanded range)
Yes
2000-2699
IP extended access list (expanded range)
Yes
vishamr2000
Hi to all,
Many thx for the reply darkuser..
I wish to get some help with the following:
1) Is it true that I must create a VLAN in order to apply MAC ACLs to switch ports individually? Can I apply different MAC ACLs on different ports of a switch? If yes, what are the steps to do it if I want to apply the MAC ACL I wrote below?
2) I have 3 PCs connected to the same switch with MAC addresses E1, E2, and E3. All IP traffic from E1 must pass through E3 before going to E2. Traffic from E2 to E1 goes through E3 as well. Arp traffic is kept normal. Below is the MAC ACL I wrote to apply to the ports to which E1 and E2 are attached in order to prevent direct communication between E1 and E2. Unfortunately I don't have the luxury of a 2970 or 3550 Catalyst switch to test it. Can someone tell me if this will work?
Switch (config)# mac access-list extended mac1
Switch (config-ext-mac1)# permit any any aarp
Switch (config-ext-mac1)# permit any host E3 vines-ip
Switch (config-ext-mac1)# end
Any help will be very much appreciated.
Warm regards,
Visham
vishamr2000
Hi to all,
Can s.o please help me with this..i badly need to get this sorted out.
Is there anywhere else where I can seek help.
Warm regards,
Visham
forbesl
I hate to be the spoiled sport in this thread, but everything you need to do this (including sample configurations) can be found on the cisco web site.
vishamr2000
Hi,
I did check all that i could find on the Cisco website regarding this. But the documents contain confusing information. For example: According to Table 26-1 in the document
http://www.cisco.com/en/US/products/hw/switches/ps5206/products_configuration_guide_chapter09186a00801ce035.html
, Extended 48-bit MAC address access list are not supported on 2970. Then it gives you the configuration of how to create and apply MAC ACLs on individual switchports. This is what has been confusing me from the very beginning.
Which is true?
forbesl
This document states the 2970 does not support
numbered
ACLs in the 700-799 (48-bit MAC address access list) range. The configuration you are refering to in the document is for
named
ACLs. They are configured differently.
vishamr2000
Ok..i thought they were meant the same thing..that you could either use numbered or named ACLs..
Thx for the tip..I'll try to re-read all the pdfs i've dwlded regarding this.
Warm regards,
Visham
vishamr2000
Hi to all,
Can anyone tell me if we have IP ACLs (or any other type of ACLs) that allow for filtering by both MAC address and IP-traffic protocols (ex: TCP, UDP..)
Regards,
Visham
Quick Links
All Categories
Recent Posts
Activity
Unanswered
Groups
Best Of
INFOSEC Boot Camps
$250
OFF
Use code
EOY2025
to receive $250 off your 2025 certification boot camp!
BROWSE BOOT CAMPS
