02-10-2014 02:34 PM - last edited on 03-25-2019 04:28 PM by ciscomoderator
Hello gang.. Im trying to filter traffic using a vacl that has a mac access-list used as the definition. We have some some traffic being sourced from 00:00:00:00:00:00 that I need to block.
mac access-list extended ALLPERMITL2
permit any any
mac access-list extended BADL2
permit host 0000.0000.0000 any
vlan access-map L2MAP 20
match mac address BADL2
action drop
vlan access-map L2MAP 30
match mac address ALLPERMITL2
action forward
vlan filter L2MAP vlan-list 61
My concern is I dont think I am implmenting this correcting because I do the following:
#show vlan access-log statistics
VACL Logging Statistics:
total packets 0
logged 0
dropped 0
buffered 0
Dropped Packets Statistics:
no packet buffer 0
hash queue full 0
flow table full 0
Misc Information:
free packet buffers :8192
log messages sent 0
flow table size 0
and dont see anythin incrementing. I would think that I would at least see something in "total packets" for stuff that is getting allowed through?
02-10-2014 02:56 PM
Arthur
Not all platforms display the actual statistics for that command so i wouldn't assume it is not working. It's a bit like when you implement PBR for example on a hardware switch and the acl counters don't increment so the only way of knowing whether it is actually working is to do a traceroute to see the path it takes.
I'm not definitely saying your platform doesn't display it but is there a way you can test it, perhaps temporarily dropping your own mac address in the mac address acl to see if -
1) it actually is working
and
2) whether you see any increase in the counters
Jon
02-10-2014 03:48 PM
There must be something wrong with my logic above. I replaced the black acl with a known mac of a device and I can still pass traffic to it all day. I would at least think that if I did a show access-list that I would be able to see hits for my any any.
Perhaps mac acl in combo with vacl just isnt supported on these lower switches?
02-10-2014 04:22 PM
Arthur
My apologies, it's late here and it's been a long day. The 3560 as well as a few other switches (2960, 3750) only support filtering on mac addresses in VACLs for non IPv4 traffic.
So you won't be able to test by just blocking your mac address and then trying to ping for example because it won't block that.
But it should block arp packets. So if you reboot your laptop then it should have to arp out for it's default gateway and that should be blocked.
Jon
02-10-2014 04:49 PM
Thanks for reply. I will give it a try and see how far I get. That is very frustrating because all settings and commands in cli help make it seem that this is possible. Do you know any documentation or links that discuss these limitations further?
Sent from Cisco Technical Support iPhone App
02-10-2014 09:21 PM
From the Cisco configuration guide:
You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.
Note You cannot apply named MAC extended ACLs to Layer 3 interfaces.
For more information about the supported non-IP protocols in the mac access-list extended command, see the command reference for this release.
Some more information here:
https://supportforums.cisco.com/thread/2082129
Daniel Dib
CCIE #37149
Please rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: