Re: cat9400 MAC ACL

Netmart · ‎03-07-2026

Hello,

I was wondering, whether it is possible to have multiple MAC addresses bound to same IP.

And the switch takes the top to bottom approach until it finds a match.

Lets say aaaa.bbbb.cc13 is the matching one.

permit ip host 10.0.0.1 mac host aaaa.bbbb.cc11 log
permit ip host 10.0.0.1 mac host aaaa.bbbb.cc12 log
permit ip host 10.0.0.1 mac host aaaa.bbbb.cc13 log

Thanks.

balaji.bandi · ‎03-08-2026

 whether it is possible to have multiple MAC addresses bound to same IP.

In the same broadcast domain, there will be a conflict.

In general, you can have that ACL in place, but the process is top-to-bottom. (as you mentioned, the process already)

While the ACL will "permit" the traffic, you should be aware of how other switch features, such as ARP Table, IPSG, and IPDT, work in new Modern switches like Cat 9K.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9400/software/release/17-15/configuration_guide/sec/b_1715_sec_9400_cg/configuring_ip_source_guard.html

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/17-15/configuration_guide/sec/b_1715_sec_9300_cg/configuring_sisf_based_device_tracking.html

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Flavio Miranda · ‎03-08-2026

@Netmart

In a ACL evaluation, device will take the top down approach but, you can not have multiples mac address for one single IP address. The ARP response is not based in ACL permit or not, but, the ARP protocol will check if the frame is intended to that IP and will reply or not based on the destination mac address.
You can implement ACL based on mac address but you can not interfere on how ARP protocol works based on ACL.

Netmart · ‎03-08-2026

Thank you both for your comments.
Since I have not mentioned it explicitly in the beginning, please note that we have to factor in DAI and DHCP Snooping, and their relationship to each other.
In general, Dynamic ARP inspection is inquiring DHCP snooping Database to learn about MAC/IP binding.
Since device is set to static IP, ARP inspection is using a MAC ACL to permit the packets

In short:
This is an untrusted port.
SG is not configured on the port.
DHCP snooping is enabled.
DAI uses MAC ACL per VLAN.
The endstation is set up with static IP - no DHCP Request send(!)

And this the Flow I was looking for:
Packet Flow for Static IP on Untrusted Port
1. Ingress & MAC Learning: The endstation sends a Gratuitous ARP (GARP) upon connection. The switch receives this frame on the untrusted ingress port and adds the source MAC to its MAC address table.
2. DAI Interception: Because the port is untrusted, the switch intercepts the ARP packet for validation before updating the ARP cache or forwarding the frame.
3. ACL Lookup (Top-Down):
• The switch first checks the packet against user-configured ARP ACLs.
• This lookup follows a strict top-down approach; the first match determines the action (permit or deny).
• Priority: ARP ACLs take precedence over the DHCP snooping binding database.
4. Permit & Forwarding: If the ARP ACL contains a permit entry for that specific IP-to-MAC binding, the packet is allowed.
5. Logging: The permit or drop actions can be tracked via syslog messages if the log keyword is included in the ACL entry or if global DAI logging is enabled.

Flavio Miranda · ‎03-09-2026

@Netmart

The flow seems to make sense but I will stick with what I said before. You are mixing up how switches treat frames in the data plane level and how it treats on the control plane level.

ARP is control plane. You dont have control over it. This i hard coded. Switches will always behave similarly.

ACL can control data plane only.

Netmart · ‎03-09-2026

No problem.

Then I suggest reviewing DAI and DHCP, their dependencies and how they work together

There are some great Cisco Docs available explaining what we discussed, like this one: .https://www.cisco.com/c/en/us/support/docs/switches/lan-switch-software/222274-troubleshoot-dynamic-arp-inspection-dai.html#:~:text=The%20Middle%20attack.-,Scenario%20with%20DHCP%20Snooping,be%20allowed%20on%20trusted%20ports.