Afenioux's Blog page

3am; darkness; Maintenance window closing. Safety net: rollback.

L2 ACL / MAC ACL vs Port Security

Written by Arnaud no comments

Cisco devices can filter mac addesses inbund with port-security or ACL, but remember ACL are checked on hardware with ASICS on the ports, and Port Security is checked in soft (and can cause big trubble when used in restrict/protect mode when many violations occur):

---Port-security on cat 6500---

in the example we allow 100 mac addresses on this trunk port, but only 2 specific mac on the vlan 4 (interface conf mode): 

 switchport port-security
 switchport port-security maximum 100
 switchport port-security maximum 2 vlan 4
 switchport port-security mac-address 0000.1111.2222 vlan 4
 switchport port-security mac-address 0000.1111.3333 vlan 4
But default, if the maximum mac addresses is reached, the port will be shutdown, you can auto-reenable the port after an amount of time with (global config mode):
 errdisable recovery cause psecure-violation
 errdisable recovery interval 300

You can also choose other actions if a port violation occurs (interface conf mode):

switchport port-security violation { protect | restrict | shutdown }
protect : Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.
restrict : Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.
shutdown :Shuts down the port if there is a security violation.
---MAC ACL on Cat6500---
We have to specify the mac ACL first, as you can see, we can specify by VLAN (global config mode) :

mac access-list extended MY-ACL
 permit host 0123.4567.8910 any ip vlan 100
 permit host 0123.4567.8911 any 
NB : You can apply mac filtering on a lot of protocols/options
And apply on the interface :
 mac access-group MY-ACL in
Classified in : cisco Tags : none

Comments are closed.

Rss feed of the article's comments