cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1198
Views
10
Helpful
6
Replies

MAC ACL not working

HCL Support
Level 1
Level 1

Hi, 

The Mac ACL is not supporting two of  below Switches. 

The below mention Switches are of the same make model same IOS ,but at two switches the Mac ACL is working
And on the other switches are not supporting the MAC ACL.

Supporting MAC ACL Switch : 

HadapsarIE_0081_SW#sh ver
Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 09-Feb-12 19:11 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x01400000

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(53r)SEY3, RELEASE SOFTWARE (fc1)

HadapsarIE_0081_SW uptime is 16 weeks, 1 day, 3 hours, 10 minutes
System returned to ROM by power-on
System restarted at 10:45:58 IST Wed Feb 15 2017
System image file is "flash:/c2960-lanlitek9-mz.122-55.SE5/c2960-lanlitek9-mz.122-55.SE5.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C2960-24TC-S (PowerPC405) processor (revision P0) with 65536K bytes of memory.
Processor board ID FCQ1708Y1RV
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

Not supporting ACL : 

BytcoCollege_1169_SW#sh version
Cisco IOS Software, C2960 Software (C2960-LANLITEK9-M), Version 12.2(55)SE5, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Thu 09-Feb-12 19:11 by prod_rel_team
Image text-base: 0x00003000, data-base: 0x01400000

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(53r)SEY3, RELEASE SOFTWARE (fc1)

BytcoCollege_1169_SW uptime is 12 weeks, 20 hours, 12 minutes
System returned to ROM by power-on
System restarted at 12:12:51 UTC Wed Mar 15 2017
System image file is "flash:/c2960-lanlitek9-mz.122-55.SE5/c2960-lanlitek9-mz.122-55.SE5.bin"


This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.

A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html

If you require further assistance please contact us by sending email to
export@cisco.com.

cisco WS-C2960-24TC-S (PowerPC405) processor (revision P0) with 65536K bytes of memory.
Processor board ID FCQ1706Y1TW
Last reset from power-on
1 Virtual Ethernet interface
24 FastEthernet interfaces
2 Gigabit Ethernet interfaces
The password-recovery mechanism is enabled.

6 Replies 6

Mark Malone
VIP Alumni
VIP Alumni

Surprised one is working even after reading the docs requirements , it needs to be on lanbase not lanlite

Creating Named MAC Extended ACLs

You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named

MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.

Note MAC ACLs are supported only when the switch is running the LAN base image.

Hi Mark, 

Thank you very much!!!

But we do not find lanebase image for this PID: WS-C2960-24TC-S

Hi

looks like that platform cant be upgraded at all to base version

https://supportforums.cisco.com/discussion/11664351/cisco-2960-tc-s-lan-lite-lan-base

Hi Mark, 

Please find attached file..

As given in diagram the requirement is like Host 1 should not be able to communicate with other host from LAN and vice versa but host 1 should be able to communicate with router interface and to server across MPLS network.

We are applying below mentioned mac access-list to the switch port on which Host 1 is connected.

Mac access-list extended Test

Permit host ( Host 1’ s mac address) host ( Router f0/0 mac address)

Permit host ( Host 1’ s mac address)  ffff.ffff.ffff 0000.0000.0000 ( Broadcast)

Deny host ( Host 1’ s mac address) any

After applying access-list to the port on which Host 1 is connected. Host 1 is able to communicate with the server and router f0/0 interface and communication within the same LAN is getting blocked. But after few minutes Host 1 starts to communicate with the other hosts from the LAN which should not happen. Please suggest further..

Hi

if its not supported anything could be causing it not to work right in the software itself , im not going to suggest anything as if it was my network I wouldn't even attempt to put something in place that's not supported in the documentation as you could end up with anything happening triggering some other issue ,  ive been there before its caused me nothing but hassle I would avoid it and get something that supports it if you really need it or block it layer 3 or use some other filter method

this is the 2nd doc now saying its not supported too , first doc was version 15 for 2960s this is your 12.2.55 train also stating it

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_55_se/configuration/guide/scg_2960/swacl.html#pgfId-1289037

Hi, 

Could you please suggest how we can prevent a particular MAC from branch end but can from server end. 

Review Cisco Networking for a $25 gift card