Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8049
Views
5
Helpful
7
Replies

MAC ACL on 3750 switch

Go to solution
bryantsteve
Level 1
Level 1

‎08-22-2012 10:40 AM - edited ‎03-07-2019 08:29 AM

On c3750 switch running 12.2(55)SE2,  as an alternate to static port security I'm trying to use  MAC acl on a group of switch ports in a lab area where users need to be able to move around to different ports. ACL looks like this:

Extended mac accesslist lab

permit host <mac address#1> any

permit host <mac address#2> any

permit host <mac address#3> any

etc

deny any any

and applied to desired ports

interface g1/0/18

mac access-group lab in 

As far as I can tell the acl has no effect in filtering  mac addresses either to permit or deny.  What am I missing?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎08-23-2012 10:38 AM

Hi,

MAC ACL will only work for non IP traffic.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
cadet alain
VIP Alumni
VIP Alumni

‎08-23-2012 10:38 AM

Hi,

MAC ACL will only work for non IP traffic.

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Go to solution
jedavis
Level 4
Level 4
In response to bryantsteve

‎08-23-2012 11:47 AM

I looked at the command ref link you posted and I don't see it.  Am I missing something?  In fact, the mac access-list extended command has a protocol argument, and one of the valid values is ip.

Go to solution
bryantsteve
Level 1
Level 1
In response to jedavis

‎08-23-2012 12:06 PM

Yes I see where you mean, I believe the thing is in the doc  there is first a description  of a  mac acl <700-799> which is available as an option on switches running in layer 3 IP routing mode ,then followed by mac access-list extended, which for what ever reason will only filter non-IP traffic. My  3750 switch  is running IP Base IOS code at layer 2 and the only command option I'm seeing  in that mode for mac acls is the mac access-list extended.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to jedavis

‎08-23-2012 12:10 PM

Hello,

The capability of MAC ACLs to filter IP traffic depends very strongly on the particular platform. The link Alain posted is taken from the general IOS documentation and not from the documentation related to a particular switch. However, if looking specifically on 3750, this are the appropriate documents:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_2_se/configuration/guide/swacl.html#wp1289037

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/15.0_2_se/command/reference/cli1.html#wp11902410

Both stress that MAC ACLs are for non-IPv4 traffic.

Best regards,

Peter

0 Helpful

Go to solution
jedavis
Level 4
Level 4
In response to Peter Paluch

‎08-23-2012 12:16 PM

Ok, I see the first line in the config guide says ""You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface" (does this imply you CAN filter IPv6?).

Thanks for the clarification Peter.

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to jedavis

‎08-23-2012 12:21 PM

Hello,

You are welcome!

(does this imply you CAN filter IPv6?)

Yes, that is my understanding although I haven't tested it personally yet.

Best regards,

Peter

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card