Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1556
Views
6
Helpful
10
Replies

C1000 switch PACL MAC filtering not working

para35
Level 1
Level 1

‎11-09-2023 02:29 AM

Hello, 

I have got a C1000 switch. iOS is 15.2(7)E6.

I am trying a MAC address filtering to the ports.

1. (config) mac access-list extended <named list>

2. (config-ext-macl) permit host <MAC address> any

3 (config-ext-macl) deny any any

4. (config) int range gig 1/0/1-24 

5.  (config-if-range) mac access-group <named list> in

do wr.

 

So I have got a permitted MAC address in the list, but if I plug a new Laptop it got connection, IP address, everything.

So the Deny any any is not working.

 

I should use the mac 'access-group <named list> out' command, but out option is not in the commands.

What can be the solution to bloc the other Laptops which are not on my MAC Access list?

 

I am waiting your advice.

Thank you.

 

Kind regards, 

Para35

 

 

Labels:
10 Replies 10

MHM Cisco World
VIP
VIP

‎11-09-2023 04:08 AM

https://ine.com/blog/an-introduction-to-mac-access-lists

check this link, 
you need to permit/deny ARP 
the MAC can not filter packet with IP header 

Thanks A Lot
MHM

para35
Level 1
Level 1
In response to MHM Cisco World

‎11-09-2023 04:21 AM

Hello, 

What is the reason the deny any any in this case?  This list is not blocking the port with the MAC address which is not consist of the extended list?

So if my goal is to make a full list with 5 EA Laptop MAC addresses which is permitted, but all of other should be block if they  MAC addresses is not part of the list. I can do it with PACL or I have to use the Port security instead?

THX

0 Helpful

MHM Cisco World
VIP
VIP
In response to para35

‎11-09-2023 05:30 AM - edited ‎11-09-2023 05:31 AM

sure port security with static mac is better solution here.

switchport port-security mac-address MAC_address 

 


note:- the IP guard need dhcp snooping in all sw.

Thanks A Lot
MHM

para35
Level 1
Level 1
In response to MHM Cisco World

‎11-09-2023 05:50 AM

Thanks, for the answer.

In this case what is the purpose this MAC address filtering, if I cannot deny any any, and approved just my 5 LAPtop MAC Address?

What will be the result to my config? The Laptop6 shouldn't be blocked? 

1. (config) mac access-list extended <named list>

2. (config-ext-macl) permit host <MAC address> any

3 (config-ext-macl) deny any any

4. (config) int range gig 1/0/1-24 

5.  (config-if-range) mac access-group <named list> in

 

Thanks 

0 Helpful

MHM Cisco World
VIP
VIP
In response to para35

‎11-09-2023 05:54 AM

it not work, all traffic will deny even the traffic from permit mac address.
as I mention before the MAC list not filter IP packet. 

try port security instead it simple and safe.

 

para35
Level 1
Level 1
In response to MHM Cisco World

‎11-09-2023 05:59 AM

But If I plug the Laptop6 it is connected and get network, everything. (I believed with deny any any, it will not get anything.)

So basically all of traffic is just going.

0 Helpful

MHM Cisco World
VIP
VIP
In response to para35

‎11-09-2023 06:10 AM

As I mention use port secuirty.

Mac acl with IP packet and arp is not work as we need.

Thanks A Lot
MHM

0 Helpful

Blue_Bird
VIP
VIP

‎11-09-2023 04:36 AM

From the IOS Configuration Guide for 12.2SXF at

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1081810

 

Each type of ACL (IP, IPX, and MAC) filters only traffic of the corresponding type. A Cisco IOS MAC ACL never matches IP or IPX traffic.

Filtering IP traffic using MAC ACLs will therefore not be possible. Probably by using the IP Source Guard with source MAC verification could solve your problem.

Best regards
******* If This Helps, Please Rate *******

para35
Level 1
Level 1
In response to Blue_Bird

‎11-09-2023 04:53 AM

Hello, 

I just don't want to shutdown the ports, but be sure just that 5 laptops can be connected by MAC-addresses to the switch.

If I have to plug the the Laptop1 from port 1 to port 20 should be connected because of the MAC addresses allowed in the list. And if I plug Laptop6 it should be not connected/forbidden according to the MAC address list.

I don't want to filter the IP.

Do I have to use other solutions?

THX

0 Helpful

Blue_Bird
VIP
VIP
In response to para35

‎11-09-2023 05:46 AM - edited ‎11-09-2023 06:08 AM

it is not going to work in that way....I think....additionaly...you should configure access-map and vlan filter....

Here are the stpes: 

1) Create mac-acl

2) Create access-map in that link mac-acl

3) Apply vlan filter command with access-map

Here is the sample configuration:

Catalyst(config)# mac access-list extended M-ARP
 Catalyst(config-ext-macl)# permit host 1234.5678.1234 host 1234.5678.abcd 0x0806 0x0

 Catalyst(config)# vlan access-map V-MAP 10
 Catalyst(config-access-map)# match mac-address M-ARP
 Catalyst(config-access-map)# action forward

 Catalyst(config)# vlan access-map V-MAP 20
 Catalyst(config-access-map)# action drop

 Catalyst(config)# vlan filter V-MAP vlan-list 30

Best regards
******* If This Helps, Please Rate *******

 

0 Helpful
Customers Also Viewed These Support Documents
li.common.scroll-to.top