Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1815
Views
0
Helpful
4
Replies

mac access list not working

Go to solution
Natalie Ramirez
Level 1
Level 1

‎10-19-2015 12:12 PM - edited ‎03-08-2019 02:16 AM

I created an extended access list and allowed a single mac address in a conference room, so only the VoIP phone will have access with a deny any any at the end.  It did not work, so I removed all permits from the list and just have a single deny any any in the access list, and have it applied to the interface on the 6509 that is in the conference room.  Still, all traffic is flowing with no disruption.

mac access-list extended phone
 deny   any any

interface GigabitEthernet2/14
 switchport
 switchport access vlan 63
 switchport mode access
 switchport voice vlan 73
 mac access-group phone in
end

 

I can see both the phone and the PC with:

sh mac add | inc 2/14

I can ping both the phone and the PC.  How can I stop communication on a port using a mac access-list? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Natalie Ramirez

‎10-19-2015 12:42 PM

With 12.2SX mac address acls do not apply to IP traffic ie. they only work for non IP traffic.

And mac address acls can only be named acls which is why your other acl didn't work.

So you need to use an IP acl.

See this link for details -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html#wp1110645

Jon

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎10-19-2015 12:18 PM

What version of software are you running on your 6500 ?

Jon

0 Helpful

Go to solution
Natalie Ramirez
Level 1
Level 1
In response to Jon Marshall

‎10-19-2015 12:22 PM

s3223-ipbase-mz.122-33.SXJ2.bin

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Natalie Ramirez

‎10-19-2015 12:42 PM

With 12.2SX mac address acls do not apply to IP traffic ie. they only work for non IP traffic.

And mac address acls can only be named acls which is why your other acl didn't work.

So you need to use an IP acl.

See this link for details -

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst6500/ios/12-2SX/configuration/guide/book/vacl.html#wp1110645

Jon

 

0 Helpful

Go to solution
Natalie Ramirez
Level 1
Level 1
In response to Jon Marshall

‎10-19-2015 12:30 PM

I also just tried creating access list 701

 

access-list 701 deny 0000.0000.0000 ffff.ffff.ffff

but when I attempt to apply it to the interface, I get:

mac access-group 701 in

% Invalid access list name.

Not sure if this is a clue as to what is wrong. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card