Layer 2 traffic filtering can be very useful when you want to drop packets closer to
the source because you can do this on L2 next-hop which is the switch where the
devices are connected. Based on mac-address, Layer 2 filtering can be apply using
one of the two most common method: Port Security and MAC Access Groups.

Port Security is the more secure method of the two. To use it, map a switch port to the
specific MAC address of the connected device. It gives you more possibility than just
drop the packets from a specific source, depending on what you want to achieve on
the interface where it is applied.

MAC Access Groups are generally used for small networks of 20 devices or less. Add
a permit statement for all of your devices interface MAC addresses and apply the access
list to switch interface. This will limit inbound traffic to that interface to only those
MAC addresses on your list. Is not recommended when you have many MAC addresses,
because MAC access-list are the same like IP address access-list, so they consume a
lot of resources of the machine where it is applied.

For this tutorial we will use a Cisco 3750 in which it is connected a router ( R4 ). To test
Layer 2 traffic filtering, we have a point-to-point Layer 3 connection in between
( 10.0.0.0 /30 ), with physical interface used on the R4 and a Vlan 4 interface on the
switch. The port on the switch were R4 is connected is an access port in vlan 4.

Please see the tutorial below:

Cisco-switching layer 2, layer 2 traffic filtering, mac access group, mac access list, mac-address, port security, traffic filtering

From the beginning let me tell you that I don’t see very useful this command, as I prefer to use “interface range…” syntax, but since I saw it as a requirement in one of the task for CCIE RS lab exam, and maybe somebody will find it usable in real environment, I said I should put it here in a tutorial.

As many of you already know, you can control a range of interfaces by typing the command “interface range Fa0/1 - 6″ (for example), but there is another way to do this by using the interface macro style. For those how are beginners, this interface range or macro syntax spare you from typing 6 commands under 6 interfaces (stick to the example above), but issue only one command under interface range or macro.

Please see the tutorial below:

Cisco-switching cisco, define, interface macro, macro, switch

Let’s say that somebody (or some task in a test) ask you to limit the inbound traffic on a switch Layer 2 port by using minimal configuration possible. I must say that in the first steps I failed this task miserable, but actually is very simple to do it.

I will use a plain layer 2 Cisco 2950 switch for this task. I observed that I could not implement this on a Cisco 3500XL. I don’t know if the IOS image was wrong, but I didn’t investigate too much in that area as I cannot stand 3500XL switches and they are actually pretty old piece of hardware.

No topology is needed for this as I will only show how to do it and not testing it with real traffic. I will do testing later when I’ll have some more time, or you can do it on your own.

See the tutorial below:

Cisco-switching cisco, inbound traffic, layer 2, rate-limit, storm-control, traffic limit