cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

dhcp relay (ip helper) bypasses mac acl

tstokkeland
Beginner
Beginner

I haven't really done much with mac ACL's before - I have a temporary need to block some devices from getting a DHCP address -  it seems the ip helper-address function encapsulates and sends that request before the interface mac acl is hit - is there any documentation anywhere on this?

(the mac's in the list are getting an IP, but any further communication is blocked as it should))

here is the relavant config (4500 swithc with sup V):

mac access-list extended badGuys
deny   host 2222.2222.2222 any
deny   host 1111.2222.2222 any
permit any any

interface GigabitEthernet6/2
switchport access vlan 500
switchport mode access
mac access-group badGuys in
spanning-tree portfast

interface GigabitEthernet6/3
switchport trunk encapsulation dot1q
switchport mode trunk
mac access-group badGuys in

interface Vlan500
ip address 192.168.1.1 255.255.255.0
ip helper-address 10.5.1.1

any help appreciated - or rtfm pointer (I did a lot of searches but found little)

2 ACCEPTED SOLUTIONS

Accepted Solutions

Eugene Lau
Cisco Employee
Cisco Employee

Hi Thomas,

I'm just on the run at the moment and can't grab the link for you but if you needed a reference, you can search for "Configuring Network Security with ACLs" in the configuration guide for 4500.

The MAC ACL feature is used  for non-IP traffic or certain ether types.

If you want to deny certain MAC's from connecting to this switched, you can use the

mac-address-table static mac_address vlan vlan_ID drop 

This would drop ALL traffic to and from this Host. This feature is documented in the same section as MAC ACL's.

HTH

Eugene.

View solution in original post

That's great news Thomas!

By design, today, a MAC access-list does not match on IPv4 packets (this may change if there's new capabilities added to this feature)

IPv4 packets are recognised at layer 2 by the ethertype 0x0800, and you'll see this in the sniffer trace. For example a  DHCP request will have this ethertype hence the MAC ACL will not match (deny or permit)

It's been a while since I've tested something but from memory, I believe that even if you specified an IPv4 ethertype (it's an option after configuring the xxxx.xxxx.xxxx in the extended MAC ACL), the MAC ACL will not match on this frame. You could give this a go and see what happens

Eugene.

View solution in original post

6 REPLIES 6

Eugene Lau
Cisco Employee
Cisco Employee

Hi Thomas,

I'm just on the run at the moment and can't grab the link for you but if you needed a reference, you can search for "Configuring Network Security with ACLs" in the configuration guide for 4500.

The MAC ACL feature is used  for non-IP traffic or certain ether types.

If you want to deny certain MAC's from connecting to this switched, you can use the

mac-address-table static mac_address vlan vlan_ID drop 

This would drop ALL traffic to and from this Host. This feature is documented in the same section as MAC ACL's.

HTH

Eugene.

ah thank you - I will try that