cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6751
Views
5
Helpful
7
Replies
bryantsteve
Beginner

MAC ACL on 3750 switch

On c3750 switch running 12.2(55)SE2,  as an alternate to static port security I'm trying to use  MAC acl on a group of switch ports in a lab area where users need to be able to move around to different ports. ACL looks like this:

Extended mac accesslist lab

permit host <mac address#1> any

permit host <mac address#2> any

permit host <mac address#3> any

etc

deny any any

and applied to desired ports

interface g1/0/18

mac access-group lab in 

As far as I can tell the acl has no effect in filtering  mac addresses either to permit or deny.  What am I missing?

1 ACCEPTED SOLUTION

Accepted Solutions
cadet alain
Mentor

Hi,

MAC ACL will only work for non IP traffic.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

7 REPLIES 7
cadet alain
Mentor

Hi,

MAC ACL will only work for non IP traffic.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I looked at the command ref link you posted and I don't see it.  Am I missing something?  In fact, the mac access-list extended command has a protocol argument, and one of the valid values is ip.

Yes I see where you mean, I believe the thing is in the doc  there is first a description  of a  mac acl <700-799> which is available as an option on switches running in layer 3 IP routing mode ,then followed by mac access-list extended, which for what ever reason will only filter non-IP traffic. My  3750 switch  is running IP Base IOS code at layer 2 and the only command option I'm seeing  in that mode for mac acls is the mac access-list extended.

Peter Paluch
Hall of Fame Cisco Employee

Hello,

The capability of MAC ACLs to filter IP traffic depends very strongly on the particular platform. The link Alain posted is taken from the general IOS documentation and not from the documentation related to a particular switch. However, if looking specifically on 3750, this are the appropriate documents:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_2_se/configuration/guide/swacl.html#wp1289037

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_2_se/command/reference/cli1.html#wp11902410

Both stress that MAC ACLs are for non-IPv4 traffic.

Best regards,

Peter

Ok, I see the first line in the config guide says ""You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface" (does this imply you CAN filter IPv6?).

Thanks for the clarification Peter.

Peter Paluch
Hall of Fame Cisco Employee

Hello,

You are welcome!

(does this imply you CAN filter IPv6?)

Yes, that is my understanding although I haven't tested it personally yet.

Best regards,

Peter