33-11
Software Configuration Guide—Release 12.2(25)SG
OL-7659-03
Chapter 33 Configuring Network Security with ACLs
Configuring Unicast MAC Address Filtering
Configuring Unicast MAC Address Filtering
To block all unicast traffic to or from a MAC address in a specified VLAN, perform this task:
This example shows how to block all unicast traffic to or from MAC address 0050.3e8d.6400 in VLAN
12:
Router# configure terminal
Router(config)# mac-address-table static 0050.3e8d.6400 vlan 12 drop
Configuring Named MAC Extended ACLs
You can filter non-IP traffic on a VLAN and on a physical Layer 2 port by using MAC addresses and
named MAC extended ACLs. The procedure is similar to that of configuring other extended named
ACLs. You can use a number to name the access list, but MAC access list numbers from 700 to 799 are
not supported.
Note Named MAC extended ACLs cannot be applied to Layer 3 interfaces.
For more information about the supported non-IP protocols in the mac access-list extended command,
refer to the Catalyst 4500 Series Switch Cisco IOS Command Reference.
To create a named MAC extended ACL, perform this task:
Command Purpose
Switch(config)# mac-address-table static
mac_address
vlan
vlan_ID
drop
Blocks all traffic to or from the configured unicast MAC
address in the specified VLAN.
To clear MAC address-based blocking, use the no form of this
command without the drop keyword.
Command Purpose
Step 1
Switch# configure terminal
Enters global configuration mode.
Step 2
Switch(config)# mac access-list extended
name
Defines an extended MAC access list using a name.
Step 3
Switch(config-ext-macl)# {deny | permit}
{any | host
source MAC address | source
MAC address mask
} {any | host
destination
MAC address | destination MAC address
mask
} [ protocol-family {appletalk |
arp-non-ipv4 | decnet | ipx | ipv6 |
rarp-ipv4 | rarp-non-ipv4 | vines | xns}]
In extended MAC access-list configuration mode, specify to
permit or deny any source MAC address, a source MAC address
with a mask, or a specific host source MAC address and any
destination MAC address, destination MAC address with a mask,
or a specific destination MAC address.
(Optional)
• [ protocol-family {appletalk | arp-non-ipv4 | decnet | ipx |
ipv6 | rarp-ipv4 | rarp-non-ipv4 | vines | xns }]
Step 4
Switch(config-ext-macl)# end
Returns to privileged EXEC mode.
Step 5
Switch# show access-lists [
number
|
name
]
Shows the access list configuration.
Step 6
Switch(config)# copy running-config
startup-config
(Optional) Saves your entries in the configuration file.
