Yes its just odd that with a Managed Switch there are no ARP controls and I mean more then ARP Access Control Rules really no range for the ARP IP sender and MAC let alone target IP that I’ve max out its just odd at this level thats all the ARP controls we get.

Anyway my point is IPv4-Based ACL and IPv6-Based ACL are just that based on locations by all means if a Ethertype in MAC-Based ACL is not entered base it on (IPv4)0800 or (IPv6)86dd but when one is entered match and match it in Class Map for IP and MAC that it must match them bits.

MAC Ethertype and IPv4 locations

[00 00 00 00 00 00] [00 00 00 00 00 00][08 00]00 00

00 00 00 00 00 00 00 00 00 00 [c0 a8 00 00] [02 02

02 02] 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00

MAC Ethertype and IPv4 locations

[00 00 00 00 00 00] [00 00 00 00 00 00][08 06]00 00

00 00 00 00 00 00 00 00 00 00 [00 00[c0 a8] [00 00]

00 00] 00 00 00 00[02 02 02 02]00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00

So ok the locations don't match for 0806 to where 0800 but thats not a problem because their just bits and it just so happens that the IPv4-Based ACL Source IP and Destination IP overlap the Ethertype 0806 for sender IP which by entering a Source IP based IPv4 locations 0.0.192.168 the last bit c0 a8 (.192.168) are matched using 255.255.0.0 and then to match the last bits in 0806 you use Destination IP based IPv4 locations 0.0.0.0 using 255.255.255.255 this then would allow a 0806 sender IP 192.168.0.0 to 192.168.255.255 to be drop/allow when combined in a Class Map for IP and MAC.

Problem is as my post lists Ethertype Class Map IP and MAC being ignored.

Really I would be better off if their was HEX ACL that you can enter your bits to match here and from these bit to these bit for a range.