CISCO 2960-X mac filtering issue (mac Blocked even it is permitted)

itsivi · ‎10-17-2018

Dear all,
I have a weird issue, I created a mac access-list with the list of all permitted mac addresses.
It is working on all except one machine, once the access list is configured on interface, the connection drops.
It is one of the ESXi servers.
Note:
I am sure of the mac address
It is working on the same switch for other ESXi servers

config t
no mac access-list extended MAC-Permit
mac access-list extended MAC-Permit
permit host XXXX.XXXX.XXXX any
...(many others, 100s)
deny any any
end

Apply the filter

config t
interface range G2/0/1-29
no mac access-group MAC-Permit in
mac access-group MAC-Permit in
end

Thanks

Georg Pauwen · ‎10-17-2018

Hello,

I don't think a MAC access list lets you log anything...

I would use Wireshark to find out what is actually being sent (and subsequently denied)...

itsivi · ‎10-17-2018

Now I found something weird.

Sometimes it works, sometimes not all that according to what other mac addresses are there in the access-list

e.g.

If we have mac addresses for 4 machines A,B,C and D where A is the machine we have issues with.

If access list contains A, B and C it works, If I added D it blocks

Georg Pauwen · ‎10-17-2018

Hello,

is that with any fourth MAC address you add ? Try and configure a high maximum on the port, e.g.:

switchport port-security maximum 132

itsivi · ‎10-18-2018

Hi George,

This is not port-security, I am using the mac access-list.

Is there an option for maximum number of ACEs in an ACL, because now I found that it seems that 429 is the limit !!

Thanks

paul driver · ‎10-18-2018

Hello
I assume some these mac-addresss have the same OUI value?
You could probably be able to permit access via their relate OUI instead of individually specifying 400+ address

Example:
mac access-list extended stan
permit 0123.45FF.FFFF 0000.00FF.FFF any 0x806 0x0 <- Ethernet header
permit 4567.89FF.FFFF 0000.00FF.FFF any 0x806 0x0
deny any any

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

itsivi · ‎10-18-2018

Hi Paul,

This seems a nice idea

But the questions stays the same, where is the configuration to increase number of ACEs per ACL?

I check the SDM and it is lanbase-default with

number of IPv4/MAC security aces: 0.625k

This number is still way more that the 429 entries

Thanks

paul driver · ‎10-18-2018

Hello

@itsivi wrote:

Hi Paul,

This seems a nice idea

But the questions stays the same, where is the configuration to increase number of ACEs per ACL?

I check the SDM and it is lanbase-default with

number of IPv4/MAC security aces: 0.625k

This number is still way more that the 429 entries

Thanks

Not so sure there is one unless you change the sdm template.

In any case If you implement the mac acl as suggested then you dont have to worry about the total number of ace entry's the switch is able to use as you wont ever reach its defined total and you will also decrease the cpu/memory utilization of the switch and not have the administrative burden that comes with 400+ ace entries per port?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

itsivi · ‎10-18-2018

Thanks Paul
But even after the wildcarding, I still hit more than the 429.
It is very weird that it only supports 429 ACE !

I am pretty sure there should be a setting to change that, but where is it?

paul driver · ‎10-18-2018

Hello

@itsivi wrote:
Thanks Paul
But even after the wildcarding, I still hit more than the 429.
It is very weird that it only supports 429 ACE !

I am pretty sure there should be a setting to change that, but where is it?

Humm....not so sure about that, That would suggest you are saying you have over 400 different makes of network cards attaching to you network, which isnt truly possible?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

itsivi · ‎10-18-2018

The idea is whitelising specific macs not just wildcarding by manufacturer.

But anyway, it is now weirder, I tried another switch same exact model and software and it worked just fine. !!