Search this Blog

Friday, October 29, 2010

How to enable MAC address filtering?

We are planning to enable MAC address filtering (one port on 4510 & another 3560). We want to allow only that MAC address to communicate via that port with the rest of the network and internet.

4510 has PC connected and 3560 had polycom connected.

Does the below is sufficient or something...

4510(config)# mac access-list ext Allowmac
4510(config-ext-macl)# permit host 0000.0000.0001 any (0000.0000.0001 : Mac of the PC)
4510(config-ext-macl)# denty any any
4510(config-ext-macl)# exit

4510(config)# int g7/40
4510(config-if)# mac access-group Allowmac in

Same on 3560 as well.


It looks fine. Just as a side note, 'deny any any' seems to have a typo there as "denty".

For more details about MAC access-lists, refer to Configuring Named MAC Extended ACLs guide here:

Also note that, there's a feature called Port Security which can also limit traffic based on the configured MAC addresses and also you can specify a maximum number of MAC addresses allowed on a port.

Port security enables you to restrict the number of MAC addresses (termed secure MAC addresses) on a port, allowing you to prevent access by unauthorized MAC addresses. It also allows you to configure a maximum number of secure MAC addresses on a given port (and optionally for a VLAN for trunk ports). When a secure port exceeds the maximum, a security violation is triggered, and a violation action is performed based on the violation action mode configured on the port.

If you configure the maximum number of secure MAC addresses as 1 on the port, the device attached to the secure port is assured sole access to the port.

Configuring Port Security , click here for the link.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Can we set up a BGP if there is only one connection leaving the network?

We are about to implement a new back up to our remote sites. We are using BT IP clear ADSL service and their request is for us to set up a BGP.Autonomous system so we can redistribute into their cloud.On reading up on this it states not to use BGP if you only have one connection leaving your network. We have over a hundred remote sites with 5 subnets in each. We are currently running OSPF.

Can some one guide us in the right direction?


You are correct in that if you only have one entry and exit point to each site there is no real need for BGP. However from my dealings with BT (although this was a couple of years back) they really only support BGP when you connect to their MPLS network. Sounds like this is still their position. You can use OSPF/static routing etc. but only if the SP supports it and i don't think BT do. It's basically for their ease of administration ie. BGP learned routes from you are automatically redistributed via MP-BGP to the other BT PE devices.

So you will need to run BGP between your CE device and the BT PE device. You will then have to redistribute the BGP routes you receive from their PEs into OSPF running on your CEs. To advertise your local networks you can either redistribute OSPF into BGP on your CE or use "network" statements on your CEs which is what we did.

It's important to understand that with this solution each OSPF process is isolated to each site so you only need one OSPF area per site. As for the BGP AS we used the same AS at all sites and used the "allowas-in 1" command under the router bgp config although if you want you can use separate BGP AS numbers at each site.

Edit - with a 150 sites it may well be pressing BT on whether they support anything else although i suspect that is when they will start offering their managed services ie. they manage the CE device in each site for you.

BGP Scenario- Design and Config

each site has 5 subnets so i would use network statements under BGP config rather than redistribute OSPF into BGP. If you can summarise the networks even better eg.

router bgp 65111

neighbor remote-as 65000 <-- where 65000 is BT AS number

neighbor allowas-in 1 <-- this means you can use the same AS number (65111) in all your sites

network mask

network mask

etc. for your subnets

note if you are peering with BT on loopbacks which they sometimes do then you would need to do the following in addition to the above -

1) add a route to your ADSL router telling it how to get to the BT loopback eg.

ip route x.x.x.x <-- where x.x.x.x is the IP of the physical interface on the BT PE router.

2) add this to your BGP config -

neighbor ebgp-multihop 2

Note also that for the network statements above eg etc. to be advertised there must be an exact match in the IGP routing table, so if you do a "sh ip route" you should see a route for with a /24 subnet mask. If you can summarise your networks then you can either -

1) use the "aggregate-address ...." command under your BGP config


2) create a static route to null for that summary address on your CE router eg.

ip address null0

and then under your bgp config simply do -

network mask

and remove the individual /24 network statements.

Under your OSPF config -

router ospf 10

redistribute bgp 65111 subnets

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Suggestion needed on setting up a DR (sort of ) in place?

At one site we have an MPLS single link with subnet connected to L3 switches.At the other site we have another MPLS single link with subnet connected to L3 switches.These should be configured Active/Passive , like all MPLS traffic should be flowing through site1 as long as that is up and thru site 2 if site 1 goes down.

These sites are connected with 2 P2P links . The problem we have , is that the requirement is to have a sort of DR in place for these buildings in such fashion , that if site1 MPLS goes down all traffic should flow through the site2 MPLS link.

The L3 switches will have a default route to the internet and static routes to point to the MPLS router as next-hop.There is no protocol running anywhere now .Building 1 is the existing building of this customer and building two will be coming up soon .What they want (save some cost as well) is : - Currently they have 2 MPLS at the existing site(Building1) which they want to split and move 1 link to the new site. From there , the story we have just narrated follows.They can not get the ISP to do any custom config so this is the issue they are faced with .Once they split these links , how will these two sites be aware of each other and more over do failover.


If you are not exchanging routes with the ISP then you can do this. Lets assume site 1 is active and site 2 is passive in normal operations,.This also assumes the the 2 MPLS routers can route to each other via EIGRP.

1) Configure a static default-route on site 1 router that connects to MPLS pointing to the next-hop for the site 1 MPLS connection.

2) redistribute this static into EIGRP. Note this will mean the static has an AD of 170 on all other routers in both sites.

3) Configure IP SLA on the site 1 router to track the availability of the MPLS link. You need this because you are not exchanging routes with your provider so you won't automatically know if the link has failed.

4) On site 2 router that connects to MPLS configure a floating static default-route pointing to the next-hop for the site 2 MPLS link. Note the AD of this route must be > 170.

5) On the same site 2 router redistribute static into EIGRP.

This works as follows -

1) The site 1 router connecting to MPLS redistributes the static into EIGRP. All routers in both sites see this route and they will all see it with an AD of 170.

2) The site 2 router also sees this route and because it has a lower AD than it's own static route then it uses this one. It will not insert it's own static route into the routing table and hence into EIGRP because it's own static route has a higher AD.

3) Under normal conditions all traffic follows the default-route out via site 1.

4) If the link or the remote provider router fails then site 1 router removes the default-route from it's routing table. It no longer gets redistributed into EIGRP and so site 2 router now no longer receives it.

5) site 2 router now installs it's default-route and redistributes into EIGRP and all routers receive this route. Note all routers except site 2 will see this route with an AD of 170.

6) If the link comes back up at site 1 IP SLA will reinstall the removed static route and then this will get propogated to site 2 router. Site 2 router will then see it's own default route with an AD > 170 and the new one with an AD of 170 and will use the new one. So it removes it's own default route from the routing table and stops redistibuting into EIGRP.

7) All intermediate routers will now use site 1 again.

Note - when site 1 comes back up and installs it's own route and redistributes every intermediate router will have 2 default-routes in their routing table temporarily until the site 2 MPLS router receives the site 1 redistributed route. Once it does and it removes it's own default-route that will no longer be redistributed into EIGRP and so all the intermediate routers will only have one default-route left which will be via site 1.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.

Does ebgp-multihop can choose next-hop router?

The problem arises when users at CE1 wanted to access network from CE3, but CE3 and CE4 is advertising the same network. There are several ways we think it should resolve the issue, such as using GRE tunnel point2point. But we are reluctant to use the tunnel concept as user may affected by the mtu-sizing problem, multiple tunnels creation and such. Please take note that PE to PE communication using BGP. PE to CE using OSPF with all network advertise under area 0. PE-CE having mutual redistribution. No stub configuration created between PE-CE.

We were thinking to use ebgp-multihop, since CEs are not directly connected, we could create another BGP AS, just for CE to CE communicate. But not sure though. Is it possible to do since peering neighbors will create bgp next-hop to the peering router interfaces.

In an example, CE1 (lo0 & CE3 (lo0, both configured accordingly on the BGP/Ebgp-multihop. So if i do"show ip bgp" at CE1 router, my next-hop will show for my advertise network at CE3. By right my traffic from CE1 should go to as the next-hop. Since the traffic needs to go to PE(Could), the particular PE would then change the next-hop of my original traffic, as at PE level they may see that CE4 is having the same advertise network with better cost/metric.

Does ebgp-multihop can choose our next-hop router? Can ospf can be sagregated by multiple area topology?


Ebgp multi-hop will not work because the traffic won't be tunneled and the PE will still take part of the routing decision.

The next-hop on the ebgp multi-hop will reflect the IP address of the remote CE but a recursive lookup will be performed and guess what? the next hop to that next-hop is the PE router anyway. The PE router will determine the best path - if the destination has conflicting address - anything can happen.You can implement NAT from the conflicted source to solve this issue.

If you have access to the PE, you can have CE3 and CE4 part of a different VRF and only import the 'interested' VRF into CE1.

Citation - This blog post does not reflect original content from the author. Rather it summarizes content that are relevant to the topic from different sources in the web. The sources might include any online discussion boards, forums, websites and others.
/* Google Analytics begin ----------------------------------------------- */ /* Google Analytics end ----------------------------------------------- */