cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1506
Views
0
Helpful
4
Replies

mac acl

wandering_997
Level 1
Level 1

Dear all,

I'm encompassed with doubt.

There are 2 switches, 3550 is a layer 2 switch, 3560 is a layer 3 switch, PC-1 and PC-2 are connected with 3550.

When I applied a MAC ACL on f0/28 of 3550, which is connected with PC-1. I found it didn't work.

mac access-list extended test

deny host abcd.abcd.abcd host 1234.1234.1234

permit any any

PC-1: abcd.abcd.abcd

PC-2: 1234.1234.1234

I pinged PC-2 from PC-1, and PC-2 replied.

But, when I cleared the ARP entry of PC-2 at 3560, then the ping process was interrupted. It seemed MAC ACL got to work.

Why this happened? Please help me.

Thanks.

Wandering

2 Accepted Solutions

Accepted Solutions

Peter Paluch
Cisco Employee
Cisco Employee

Hello Wandering,

The reason is that on Catalyst 3550 series switches, the MAC ACL applies only to non-IP traffic. While I cannot fully explain what happened to your network as you are stating that you have cleared the ARP entry on the 3560 switch which appears somewhat strange to me, my first hint is that the MAC ACL did not prevent the IP packets from flowing through the port fa0/28 on your 3550. However, it did prevent non-IP traffic, such as ARP communication, from passing through that port. I suspect that in the meantime, while you were doing other experiments, the MAC address of PC1 has simply expired on PC2 from its ARP cache. After the PC2 sent the ARP Request, the PC1 tried to answer by sending the ARP Response but the MAC ACL blocked it. That is why the PCs could not communicate - not because all frames were dropped from PC1 but rather because the PC2 was unable to resolve the PC1's MAC address.

Note that on different Catalyst platforms, the MAC ACLs behave differently. On 2950, for example, they apply to any traffic. The 3550 uses MAC ACLs to filter only non-IP traffic. On 2960 and 3560, the manual also says that they apply only to non-IP traffic but they also allow you to specify the EtherType. I do not know right now what would happen if you had a MAC ACL in place that would match on the Ethertype 0x0800 (the IP).

Perhaps this helps a bit. In doubt, refer to the Command Reference for your particular IOS version.

Best regards,

Peter

View solution in original post

Hello Wandering,

You are welcome. In my opinion, clearing the ARP cache on the core switch did not affect anything in your case. It probably just coincided with the flushing of ARP cache on PC2 - they just happened to occur simultaneously. Give it another try :)

Best regards,

Peter

View solution in original post

4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

Hello Wandering,

The reason is that on Catalyst 3550 series switches, the MAC ACL applies only to non-IP traffic. While I cannot fully explain what happened to your network as you are stating that you have cleared the ARP entry on the 3560 switch which appears somewhat strange to me, my first hint is that the MAC ACL did not prevent the IP packets from flowing through the port fa0/28 on your 3550. However, it did prevent non-IP traffic, such as ARP communication, from passing through that port. I suspect that in the meantime, while you were doing other experiments, the MAC address of PC1 has simply expired on PC2 from its ARP cache. After the PC2 sent the ARP Request, the PC1 tried to answer by sending the ARP Response but the MAC ACL blocked it. That is why the PCs could not communicate - not because all frames were dropped from PC1 but rather because the PC2 was unable to resolve the PC1's MAC address.

Note that on different Catalyst platforms, the MAC ACLs behave differently. On 2950, for example, they apply to any traffic. The 3550 uses MAC ACLs to filter only non-IP traffic. On 2960 and 3560, the manual also says that they apply only to non-IP traffic but they also allow you to specify the EtherType. I do not know right now what would happen if you had a MAC ACL in place that would match on the Ethertype 0x0800 (the IP).

Perhaps this helps a bit. In doubt, refer to the Command Reference for your particular IOS version.

Best regards,

Peter

Hi Peter,

Thank you very much, I totally agree with you.

Yes, the MAC ACL only prevents the ARP traffic, that's enough, although we can configure static arp pair on PCs to skip this setting.

There's still some doubts, such as why clearing ARP on core can affect layer 2 communication, and so on...

Thanks a lot.

Wandering

Hello Wandering,

You are welcome. In my opinion, clearing the ARP cache on the core switch did not affect anything in your case. It probably just coincided with the flushing of ARP cache on PC2 - they just happened to occur simultaneously. Give it another try :)

Best regards,

Peter

Hi Peter,

You are right. And I cann't replay the issue again.

The MAC ACL gets to work after clearing the ARP cache on PC-2.

Thanks

Wandering

Review Cisco Networking for a $25 gift card