Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1066
Views
0
Helpful
5
Replies

MAC ACL match in VACL -3560G

Arthur Kant
Level 1
Level 1

‎02-10-2014 02:34 PM - last edited on ‎03-25-2019 04:28 PM by Community Manager

      Hello gang.. Im trying to filter traffic using a vacl that has a mac access-list used as the definition.  We have some some traffic being sourced from 00:00:00:00:00:00 that I need to block. 

mac access-list extended ALLPERMITL2

permit any any

mac access-list extended BADL2

permit host 0000.0000.0000 any

vlan access-map L2MAP 20

match mac address BADL2

action drop

vlan access-map L2MAP 30

match mac address ALLPERMITL2

action forward

vlan filter L2MAP vlan-list 61

My concern is I dont think I am implmenting this correcting because I do the following:

#show vlan access-log statistics

VACL Logging Statistics:

        total packets          0

        logged                 0

        dropped                0

        buffered               0

Dropped Packets Statistics:

        no packet buffer       0

        hash queue full        0

        flow table full        0

Misc Information:

        free packet buffers    :8192

        log messages sent     0

        flow table size        0

and dont see anythin incrementing.  I would think that I would at least see something in "total packets" for stuff that is getting allowed through?

Labels:
0 Helpful
5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

‎02-10-2014 02:56 PM

Arthur

Not all platforms display the actual statistics for that command so i wouldn't assume it is not working. It's a bit like when you implement PBR for example on a hardware switch and the acl counters don't increment so the only way of knowing whether it is actually working is to do a traceroute to see the path it takes.

I'm not definitely saying your platform doesn't display it but is there a way you can test it, perhaps temporarily dropping your own mac address in the mac address acl to see if -

1) it actually is working

and

2) whether you see any increase in the counters

Jon

0 Helpful

Arthur Kant
Level 1
Level 1
In response to Jon Marshall

‎02-10-2014 03:48 PM

There must be something wrong with my logic above.  I replaced the black acl with a known mac of a device and I can still pass traffic to it all day.    I would at least think that if I did a show access-list that I would be able to see hits for my any any.

Perhaps mac acl in combo with vacl just isnt supported on these lower switches?

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to Arthur Kant

‎02-10-2014 04:22 PM

Arthur

My apologies, it's late here and it's been a long day. The 3560 as well as a few other switches (2960, 3750)  only support filtering on mac addresses in VACLs for non IPv4 traffic.

So you won't be able to test by just blocking your mac address and then trying to ping for example because it won't block that.

But it should block arp packets. So if you reboot your laptop then it should have to arp out for it's default gateway and that should be blocked.

Jon

0 Helpful

Arthur Kant
Level 1
Level 1
In response to Jon Marshall

‎02-10-2014 04:49 PM

Thanks for reply. I will give it a try and see how far I get. That is very frustrating because all settings and commands in cli help make it seem that this is possible. Do you know any documentation or links that discuss these limitations further?

Sent from Cisco Technical Support iPhone App

0 Helpful

daniel.dib
Level 7
Level 7

‎02-10-2014 09:21 PM

From the Cisco configuration guide:

Creating Named MAC Extended ACLs

You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.

Note You cannot apply named MAC extended ACLs to Layer 3 interfaces.

For more information about the supported non-IP protocols in the mac access-list extended command, see the command reference for this release.

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/15-0_1_se/configuration/guide/scg3560/swacl.html#wp1289037

Some more information here:

https://supportforums.cisco.com/thread/2082129

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card