04-28-2003 11:21 PM - edited 03-02-2019 06:59 AM
I'm trying to secure a VLAN using VACL on a 6509 CatOS 5.4(1) and it doesn't work. I have created a MAC ACL, based on the source host mac and ANY as the destination, example:
set security acl mac test permit host 00-01-02-03-04-05 any
There are 16 ACE's.
I have comitted the ACL and mapped it to a VLAN. As I understand all frames being forwarded in this VLAN will first be checked against the VACL and if theres a match it will be forwarded. But it doesn't work!! A port in the VLAN is connected to another switch and on that switch there are some clients that I want to have access and the rest needs to be denied access. WIth the above config I haven't put my notebook MAC and connecting it to the VLAN in the same VLAN I still have access... Which indicates that the VACL does not work. The VLAN is not routed with the MSFC. I need to use a MAC VACL because of tighter access control.
I haven't used port security because it doesn't support highavailability on redundant supervisors. And VACLs are supported with highavailability.
I have checked the release notes for newer versions and looked in the bug tool and I can't find any issues with MAC VACLs. I know that the CatOS version is quite old but unless there is a specific issue with VACLs or other we can survive on this version.
If you have any coments/advise please elaborate.
Thank you.
04-29-2003 02:52 AM
See this reference:
IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.
04-29-2003 03:05 AM
So as I understand it, it is not possible to use a MAC ACL as a filter for any kind of traffic except Appletalk, DECnet etc. like you could do with port security? Which I can't use... So I have to use IPs... hmmm. Ok. I'll look for another solution. Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide