Re: MAC ACL on PortChannel

ifabrizio · ‎04-05-2024

Dear All,

I am trying to configure an MAC ACL on a switch 4500(sup8) and apply it on a Portchannel that is connected to WLC.

I have configured the MAC ACL:

Extended MAC access list AIROSAPDENY
deny host 309c.245.67a4 any
deny any any (18 matches)

and apply it to the portchannel:

interface Port-channel1
description wlc01_9800_primary
switchport
switchport trunk allowed vlan 1-274,277,279,280,282-4094
switchport trunk native vlan 111
switchport mode trunk
switchport nonegotiate
ip arp inspection trust
mac access-group AIROSAPDENY in

But when I try to ping the WLC from the test PC with MAC 309c.245.67a4, it continue to reach the WLC.

Can you help me to understand why?

Bye,

JF

MHM Cisco World · ‎04-05-2024

I think there is restriction of using MAC ACL under port-channel.

If you can try same MAC ACL in any other l2 port and test again

MHM

ifabrizio · ‎04-05-2024

Hi MHM,

I have tryed to apply the MAC ACL to the PortChannel and also on its ports members, but the ACL continue to do not filter the pc mac.

Ok It seems a Portchannel limitation as you said. So How I can apply an ACL on a Portchannel? I need it to prevent Aps to join to the WLC.

Bye,

JF

MHM Cisco World · ‎04-05-2024

what is WLC you use ?

MHM

ifabrizio · ‎04-07-2024

I use a Cisco 9800, I am in the middle of WLC migration from older 5508.