This document describes the behavior of MAC Access Control List (MAC ACL) on the control plane non-IP traffic on Catalyst 4500 series switches. MAC ACL can be used in order to filter non-IP traffic on a VLAN and on a physical Layer 2 (L2) port.
For more information about the supported non-IP protocols in the MAC access-list extended command, refer Catalyst 4500 Series Switch Cisco IOS® Command Reference.
Assume this configuration:
mac access-list extended udld deny any host 0100.0ccc.cccc permit any any ! interface GigabitEthernet2/4 switchport mode trunk udld port aggressive mac access-group udld in !
Note: This ACL does not deny L2 control plane traffic like CDP/UDLD/VTP/PAgP frames with destination MAC = 0100.0ccc.cccc that comes inbound in interface GigabitEthernet2/4.
On Catalyst 4500 switches, there is a system generated inbuilt ACL that punts L2 control plane traffic to CPU which takes precedence over a user defined ACL, in order to classify this traffic. Hence, a user defined ACL does not achieve this purpose. This behavior is specific to Catalyst 4500 platform, other platforms might have different behaviors.
This method can be used to drop the traffic at ingress port or at CPU, if there is a need to do so.
Caution: Steps here are intended to drop all the frames that have destination MAC = 0100.0ccc.cccc that comes in on a specific interface. This MAC address is used by UDLD/DTP/VTP/Pagp control plane Protocol Data Units (PDUs).
Step 1. Enable control-packet Quality of Service (QoS) for cdp-vtp:
Catalyst4500(config)#qos control-packets cdp-vtp
This step generates a system generated ACL:
Catalyst4500#show run | begin system-control
mac access-list extended system-control-packet-cdp-vtp permit any host 0100.0ccc.cccc
Note: A user-defined named MAC ACL (as shown here) can also be used instead of system defined ACL as generated earlier. Either use system generated or user-defined ACL in order to save Ternary Content Addressable Memory (TCAM) resources.
mac access-list extended udld permit any host 0100.0ccc.cccc
Step 2. Create a class-map in order to match the traffic that hits this ACL:
Catalyst4500(config)#class-map cdp-vtp Catalyst4500(config-cmap)#match access-group name system-control-packet-cdp-vtp Catalyst4500(config-cmap)#end Catalyst4500#
Step 3. Create a policy map and police traffic that matches Step 2 class with conform action = drop and exceed action = drop:
Catalyst4500(config)#policy-map cdp-vtp-policy Catalyst4500(config-pmap)#class cdp-vtp Catalyst4500(config-pmap-c)#police 32000 conform-action drop exceed-action drop Catalyst4500(config-pmap-c-police)#end Catalyst4500#
Step 4. Apply the policy-map inbound on the L2 port where this traffic needs to be dropped: