Hello,
In our network, we use MAC ACLs to control access to our network.
We have 2 interconnected distribution switches. HSRP runs on both switches and an IP ACL is activated on the SVIs in the inbound direction.
We found that the IP ACL applied to the SVI on the active gateway (SW1) is bypassed if the following conditions are met:
- The host is directly connected to the active gateway
- A MAC ACL is applied to the port
Below is an excerpt of the relevant configuration for VLAN 200 on SW1.
interface GigabitEthernet0/41
switchport access vlan 200
switchport mode access
mac access-group allowed-MAC-M-WIRELESS in
no cdp enable
spanning-tree portfast
spanning-tree guard root
interface Vlan200
ip address 192.168.2.2 255.255.255.0
ip access-group acl_Vlan_Filter in
no ip unreachables
standby 2 ip 192.168.2.1
standby 2 priority 200
standby 2 preempt
Is the correlation we are seeing normal?
Thanks in advance for your feedback!
Frank