10-17-2018 02:57 AM - edited 03-08-2019 04:24 PM
Dear all,
I have a weird issue, I created a mac access-list with the list of all permitted mac addresses.
It is working on all except one machine, once the access list is configured on interface, the connection drops.
It is one of the ESXi servers.
Note:
I am sure of the mac address
It is working on the same switch for other ESXi servers
config t no mac access-list extended MAC-Permit mac access-list extended MAC-Permit permit host XXXX.XXXX.XXXX any ...(many others, 100s) deny any any end
Apply the filter
config t interface range G2/0/1-29 no mac access-group MAC-Permit in mac access-group MAC-Permit in end
Thanks
10-17-2018 10:32 AM
Hello,
I don't think a MAC access list lets you log anything...
I would use Wireshark to find out what is actually being sent (and subsequently denied)...
10-17-2018 01:57 PM
Now I found something weird.
Sometimes it works, sometimes not all that according to what other mac addresses are there in the access-list
e.g.
If we have mac addresses for 4 machines A,B,C and D where A is the machine we have issues with.
If access list contains A, B and C it works, If I added D it blocks
10-17-2018 02:02 PM
Hello,
is that with any fourth MAC address you add ? Try and configure a high maximum on the port, e.g.:
switchport port-security maximum 132
10-18-2018 01:04 AM
Hi George,
This is not port-security, I am using the mac access-list.
Is there an option for maximum number of ACEs in an ACL, because now I found that it seems that 429 is the limit !!
Thanks
10-18-2018 03:14 AM - edited 10-18-2018 03:16 AM
Hello
I assume some these mac-addresss have the same OUI value?
You could probably be able to permit access via their relate OUI instead of individually specifying 400+ address
Example:
mac access-list extended stan
permit 0123.45FF.FFFF 0000.00FF.FFF any 0x806 0x0 <- Ethernet header
permit 4567.89FF.FFFF 0000.00FF.FFF any 0x806 0x0
deny any any
10-18-2018 03:28 AM
Hi Paul,
This seems a nice idea
But the questions stays the same, where is the configuration to increase number of ACEs per ACL?
I check the SDM and it is lanbase-default with
number of IPv4/MAC security aces: 0.625k
This number is still way more that the 429 entries
Thanks
10-18-2018 04:03 AM
Hello
@itsivi wrote:
Hi Paul,
This seems a nice idea
But the questions stays the same, where is the configuration to increase number of ACEs per ACL?
I check the SDM and it is lanbase-default with
number of IPv4/MAC security aces: 0.625k
This number is still way more that the 429 entries
Thanks
Not so sure there is one unless you change the sdm template.
In any case If you implement the mac acl as suggested then you dont have to worry about the total number of ace entry's the switch is able to use as you wont ever reach its defined total and you will also decrease the cpu/memory utilization of the switch and not have the administrative burden that comes with 400+ ace entries per port?
10-18-2018 04:39 AM
10-18-2018 05:32 AM
Hello
@itsivi wrote:
Thanks Paul
But even after the wildcarding, I still hit more than the 429.
It is very weird that it only supports 429 ACE !
I am pretty sure there should be a setting to change that, but where is it?
Humm....not so sure about that, That would suggest you are saying you have over 400 different makes of network cards attaching to you network, which isnt truly possible?
10-18-2018 05:39 AM
The idea is whitelising specific macs not just wildcarding by manufacturer.
But anyway, it is now weirder, I tried another switch same exact model and software and it worked just fine. !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide