L2 ACL / MAC ACL vs Port Security
Written by Arnaud no commentsCisco devices can filter mac addesses inbund with port-security or ACL, but remember ACL are checked on hardware with ASICS on the ports, and Port Security is checked in soft (and can cause big trubble when used in restrict/protect mode when many violations occur):
---Port-security on cat 6500---
in the example we allow 100 mac addresses on this trunk port, but only 2 specific mac on the vlan 4 (interface conf mode):
switchport port-security switchport port-security maximum 100 switchport port-security maximum 2 vlan 4 switchport port-security mac-address 0000.1111.2222 vlan 4 switchport port-security mac-address 0000.1111.3333 vlan 4
But default, if the maximum mac addresses is reached, the port will be shutdown, you can auto-reenable the port after an amount of time with (global config mode):
errdisable recovery cause psecure-violation errdisable recovery interval 300
You can also choose other actions if a port violation occurs (interface conf mode):
switchport port-security violation { protect | restrict | shutdown }
protect : Drops all the packets from the insecure hosts at the port-security process level but does not increment the security-violation count.
restrict : Drops all the packets from the insecure hosts at the port-security process level and increments the security-violation count.
shutdown :Shuts down the port if there is a security violation.
---MAC ACL on Cat6500---
We have to specify the mac ACL first, as you can see, we can specify by VLAN (global config mode) :
mac access-list extended MY-ACL
permit host 0123.4567.8910 any ip vlan 100
permit host 0123.4567.8911 any
NB : You can apply mac filtering on a lot of protocols/options
And apply on the interface :
mac access-group MY-ACL in
---Sources---