When a MAC ACE matched,

Kevin Wang · ‎02-23-2016

What's wrong with the following configuration? I only want the hosts in the mac access list to communicate with each other, but it doesn't work, why? The test device is c3750.

!

mac access-list extended test-mac
permit host aaaa.aaaa.aaaa host bbbb.bbbb.bbbb
permit host bbbb.bbbb.bbbb host aaaa.aaaa.aaaa
deny any any
!
!
vlan access-map test-mac 10
action forward
match mac address test-mac
vlan access-map test-mac 20
action drop
!
vlan filter test-mac vlan-list 1

!

acampbell · ‎02-23-2016

Hi Kevin,

I am assuming that you are saying this is not working because the
2 devices in the mac access list cannot ping each other etc.

What you need to remember is that in the 1st instance they need to find each other.
They need to ARP - ARP goes to the broadcast mac address.

Try changining your MAC access list as follows:-

!
!
no mac access-list extended test-mac
!
mac access-list extended test-mac
permit host aaaa.aaaa.aaaa host bbbb.bbbb.bbbb
permit host bbbb.bbbb.bbbb host aaaa.aaaa.aaaa
permit any any 0x0806 0x0000
permit any any lsap 0xAAAA 0x0000
deny any any
!

The 2 lines
permit any any 0x0806 0x0000 = THIS ALLOWS ARP
permit any any lsap 0xAAAA 0x0000 = THIS ALLOWS PVST+ TO ALLOW SPANNING TREE

Give it a go

Regards
Alex

Regards, Alex. Please rate useful posts.

Kevin Wang · ‎02-24-2016

The captured packets show that stp and arp work properly now, but the two hosts still can't communicate with each other...

Kevin Wang · ‎02-28-2016

I've changed the configuration as following:

!

mac access-list extended test-mac
permit host aaaa.aaaa.aaaa host bbbb.bbbb.bbbb
permit host bbbb.bbbb.bbbb host aaaa.aaaa.aaaa

permit any any 0x0806 0x0000
permit any any lsap 0xAAAA 0x0000

permit any any lsap 0x4242 0x0

permit any any 0x010B 0x0
deny any any
!

ip access-list extended test-ip

permit ip any any
!
vlan access-map test-mac 10
action forward
match mac address test-mac

vlan access-map test-mac 15

action forward

match ip address test-ip
vlan access-map test-mac 20
action drop
!
vlan filter test-mac vlan-list 1

!

Now, the two hosts can communicate with each other. It seems like the MAC access list doesn't work properly (I've checked it again and again, there is no typos), is it a bug?

acampbell · ‎02-29-2016

Kevin,

I dont think this is a bug as such

When you read the config guides e.g.
12.2.55SE - Configuring Network Security with ACLs

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swacl.html

An ACL contains an ordered list of access control entries (ACEs). Each ACE specifies permit or deny and a set of conditions the packet must satisfy in order to match the ACE. The meaning of permit or deny depends on the context in which the ACL is used.

The switch supports IP ACLs and Ethernet (MAC) ACLs:

•IP ACLs filter IPv4 traffic, including TCP, User Datagram Protocol (UDP), Internet Group Management Protocol (IGMP), and Internet Control Message Protocol (ICMP).

•Ethernet ACLs filter non-IP traffic.

So because you are probably testing with IP (ICMP ping tracert etc) you need to invoke an IP access list

Other newer smaller switches like 2960 etc also say that MAC access lists are only for LAN-BASE licences

Regards
Alex

Regards, Alex. Please rate useful posts.

Kevin Wang · ‎02-29-2016

When a MAC ACE matched, shouldn't it take the 'action forward'?

When I apply the same MAC access list to a interface, it does work, only the hosts in the MAC ACL can communicate with each other, but when I apply it to a VLAN, it doesn't.

!
mac access-list extended test-mac
permit host aaaa.aaaa.aaaa host bbbb.bbbb.bbbb
permit host bbbb.bbbb.bbbb host aaaa.aaaa.aaaa
deny any any
!
interface FastEthernet1/0/2
...
...
mac access-group test-mac in
...
!

c3750 vlan filter' problem...