You'll have to pardon a moment of nostalgia, but the first question I ever asked on groupstudy was about applying a MAC filter to a router. (sniff sniff)
To apply a MAC ACL to an interface, you have to set it up to bridge, and since you're routing you need to run IRB. Not that it was meant for such a purpose, but I've had much better results using CAR on a router to filter by MAC address rather than applying an access list. It's much simpler to just use the rate-limit command, imo. It sounds like the router is behaving normally for a router that has multicast members located on an interface. If the switches are causing a broadcast storm, that's a separate issue that should be addressed; the default behavior of most switches is to flood multicasts out all ports. To control that you need to enable either CGMP or IGMP snooping on the appropriate switch ports. hth, Hal > -----Original Message----- > From: Priscilla Oppenheimer [mailto:nobody@;groupstudy.com] > Sent: Tuesday, November 12, 2002 2:59 PM > To: [EMAIL PROTECTED] > Subject: RE: Possible to Filter on Destination MAC-Address on a > [7:57312] > > > Bucher Lars wrote: > > > > I'm trying to configure an input-access-list on 7204 Routers > > (IOS 12.2(10)), > > which should filter on the destination (!) MAC-address but > > can't get it > > work. Is this even possible? > > > > The router should ignore all traffic with a destination-MAC > > (multicast) of > > 0100.5e7c.0006 and accept all other traffic. In my setup, this > > address is > > used with Firewalls in a Stonebeat cluster. > > > > Without filter my routers, by mistake, listen to this traffic, > > replicate it > > and send it out again which causes multicast-storms. > > Wouldn't it be better to figure out why the router is doing > this? Normally, > a router doesn't replicate multicast traffic and send it out > again. Why is > it doing this? Can you send us your config?? > > Priscilla > > > > > I've read that this is quite a common behaviour observed with > > Cisco-Routers > > that run HSRP. By mistake some Routers (depending on what?) > > sometimes listen > > to all Layer2 Multicast-Traffic instead to just the > > HSRP-Multicasts. > > > > Unfortunately, I can't configure any filters on the switch, > > which led me to > > the idea to apply a filter on the routers. > > > > It's no problem to configure an extended MAC Access-list > > (access-list > > ). But I struggle with applying it to the interface. > > The 'bridge-group input-address-list ' just allows > > standard MAC > > Access-Lists, which would filter the source-address only. > > > > So I tried the follwoing approach (CAR): > > > > access-list 1100 permit 0000.0000.0000 ffff.ffff.ffff > > 0100.5e7c.0006 > > 0000.0000.0000 > > access-list 101 permit ip any any > > > > interface fastethernet0/0 > > rate-limit input access-group 1100 100000000 100000 100000 > > conform-action > > drop exceed-action drop > > rate-limit input access-group 101 100000000 100000 100000 > > conform-action > > transmit exceed-action transmit > > > > In the lab the router accepted the commands, but now it blocks > > all traffic > > instead just the specified destination mac-address. > > > > Any suggestions? Thanks in advance. > > > > Lars Bucher Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=57321&t=57321 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
