Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2889
Views
0
Helpful
3
Replies

MAC ACL is not working

Go to solution
subrata_mckv
Level 1
Level 1

‎09-15-2011 10:29 AM - edited ‎03-07-2019 02:14 AM

Hi,

I want to block a particular PC (MAC address) from accessing a Router (Network) in a simple network as follows-

1.JPG

So, I applied MAC ACL to fa2/1 interface of switch as-

Switch(config)#mac access-lists extended test1

                    #deny host <mac of PC> any

                    #permit any any

                    #exit

                    #int fa2/1

                    #mac access-group test1 in

But, still PC is able to ping Router. It seems that MAC ACL is not working here.

Pls, let me know what's wrong here.

Thanks,

Subrata

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to subrata_mckv

‎09-16-2011 01:38 PM

Hello Subrata,

My suspicion is confirmed... From the IOS Configuration Guide for 12.2SXF at

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1081810

Each   type of ACL (IP, IPX, and MAC) filters only traffic of the   corresponding type. A Cisco IOS MAC ACL never matches IP or IPX traffic.

Filtering  IP traffic using MAC ACLs will therefore not be possible. Perhaps using  the IP Source Guard with source MAC verification could solve your  needs.

Best regards,

Peter

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎09-15-2011 10:31 AM

Subrata,

On 2960 and 3560 Catalyst switches, the MAC ACL applies only to non-IP traffic. If a frame contains an IP packet, the MAC ACL will not have an effect on it. You would need to use IP ACL to filter out your PC on these switches.

What switch and IOS version are you using, anyway?

Best regards,

Peter

0 Helpful

Go to solution
subrata_mckv
Level 1
Level 1
In response to Peter Paluch

‎09-16-2011 12:00 PM

Hello Peter,

We are using 6509 Switch with IOS Version 12.2(18)SXF13.

Thanks and regards,

Subrata

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to subrata_mckv

‎09-16-2011 01:38 PM

Hello Subrata,

My suspicion is confirmed... From the IOS Configuration Guide for 12.2SXF at

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/acl.html#wp1081810

Each   type of ACL (IP, IPX, and MAC) filters only traffic of the   corresponding type. A Cisco IOS MAC ACL never matches IP or IPX traffic.

Filtering  IP traffic using MAC ACLs will therefore not be possible. Perhaps using  the IP Source Guard with source MAC verification could solve your  needs.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents