SX300 series FW 1.4.0.88 mac ace wildcard bug

Peter Kvasnica · ‎11-20-2014

Hi! I found a bug on SX300 series FW 1.4.0.88 on mac ace wildcard. The problem is, that the mac address mask is not working. Sample: mac access-list extended test permit any 00:13:21:b4:ea:2e 00:00:00:00:00:11 ace-priority 1 exit interface fastethernet2 description test-device service-acl input test will not accept mac addresses from range 00:13:21:b4:ea:00 - 00:13:21:b4:ea:ff. Thanks

Nagaraja Thanthry · ‎11-22-2014

Hello Peter,

Have you tried entering the command without the "ace-priority 1" keyword?

config t

mac access-list extended test

permit any 00:13:21:b4:ea:2e 00:00:00:00:00:11

exit

interface FastEthernet2

description test-device

service-acl input test

Nagaraja

Peter Kvasnica · ‎11-23-2014

Hello,

yes, i tried with no success.

Also the same problem is on SG500X FW 1.3.7.18 connected to stack with two SG500 switches.

Nagaraja Thanthry · ‎11-23-2014

Hello Peter,

That is interesting because I am able to put those commands into my SG300 switch and the switch accepts it as entered.

Can you please post the output of the same commands over here?

Nagaraja

Peter Kvasnica · ‎11-25-2014

Hello Nagaraja, I am not sure, if you understood problem. The problem is, that mac wildcard doesn't work. Switch accepts commands bud it doesn't work. If you try communicate with for example dst mac adress 00:13:21:b4:ea:21 from port gi9, it will not work. If you try to communicate with dst mac address 00:13:21:b4:ea:2e from port gi9, it will work. Peter

Aleksandra Dargiel · ‎11-26-2014

Hi Peter,

One comment, you have to add ACE allowing ARP. ARP resolution is needed for MAC ACL.

permit any ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 2048 0000 ace-priority 30

Regards,

Aleksandra

Peter Kvasnica · ‎11-26-2014

Hello Alex, I know about arp resolution and I have it there. Bud problem is that wildcard doesn't work. Also now i tested wildcard with protocol spcification: " mac access-list extended test permit any 00:13:21:b4:ea:00 00:00:00:00:00:11 2048 0000 ace-priority 1 permit any ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 2048 0000 ace-priority 50 exit interface fastethernet6 service-acl input test " but also without any success. Peter

Aleksandra Dargiel · ‎11-26-2014

Hi Peter,

Yes I can see the same here. It works only for specific MAC address and it would not work for range.

It would be good idea to open ticket with Small Business Team so they can communicate with engineering.

http://www.cisco.com/c/en/us/support/web/tsd-cisco-small-business-support-center-contacts.html

Regards,

Aleksandra

Peter Kvasnica · ‎11-26-2014

Hi! what version of switch do you have? My is: switch-XXX#sh ver SW version 1.4.0.88 ( date 06-Aug-2014 time 16:55:55 ) Boot version 1.3.5.06 ( date 21-Jul-2013 time 15:12:10 ) HW version V02 switch-XXX#sh run ..... mac access-list extended test permit any 00:13:21:b4:ea:00 00:00:00:00:00:11 2048 0000 ace-priority 1 permit any ff:ff:ff:ff:ff:ff 00:00:00:00:00:00 2048 0000 ace-priority 50 exit interface fastethernet6 service-acl input test on port FA6 is my net device. On port fa24 is my GW with mac address: 00:13:21:b4:ea:2e. I am unable to communicate with device with settings above. Peter

Aleksandra Dargiel · ‎11-26-2014

Hi Peter,

I manged to see the same problem but thank you anyway. Yes if the MAC is matching all works as expected if the MAC is from the range (specified my wildcard mask) the packets are dropped.

Aleksandra