Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1506
Views
0
Helpful
4
Replies

mac acl

Go to solution
wandering_997
Level 1
Level 1

‎11-16-2009 10:38 PM - edited ‎03-06-2019 08:38 AM

Dear all,

I'm encompassed with doubt.

There are 2 switches, 3550 is a layer 2 switch, 3560 is a layer 3 switch, PC-1 and PC-2 are connected with 3550.

When I applied a MAC ACL on f0/28 of 3550, which is connected with PC-1. I found it didn't work.

mac access-list extended test

deny host abcd.abcd.abcd host 1234.1234.1234

permit any any

PC-1: abcd.abcd.abcd

PC-2: 1234.1234.1234

I pinged PC-2 from PC-1, and PC-2 replied.

But, when I cleared the ARP entry of PC-2 at 3560, then the ping process was interrupted. It seemed MAC ACL got to work.

Why this happened? Please help me.

Thanks.

Wandering

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎11-17-2009 12:40 AM

Hello Wandering,

The reason is that on Catalyst 3550 series switches, the MAC ACL applies only to non-IP traffic. While I cannot fully explain what happened to your network as you are stating that you have cleared the ARP entry on the 3560 switch which appears somewhat strange to me, my first hint is that the MAC ACL did not prevent the IP packets from flowing through the port fa0/28 on your 3550. However, it did prevent non-IP traffic, such as ARP communication, from passing through that port. I suspect that in the meantime, while you were doing other experiments, the MAC address of PC1 has simply expired on PC2 from its ARP cache. After the PC2 sent the ARP Request, the PC1 tried to answer by sending the ARP Response but the MAC ACL blocked it. That is why the PCs could not communicate - not because all frames were dropped from PC1 but rather because the PC2 was unable to resolve the PC1's MAC address.

Note that on different Catalyst platforms, the MAC ACLs behave differently. On 2950, for example, they apply to any traffic. The 3550 uses MAC ACLs to filter only non-IP traffic. On 2960 and 3560, the manual also says that they apply only to non-IP traffic but they also allow you to specify the EtherType. I do not know right now what would happen if you had a MAC ACL in place that would match on the Ethertype 0x0800 (the IP).

Perhaps this helps a bit. In doubt, refer to the Command Reference for your particular IOS version.

Best regards,

Peter

View solution in original post

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to wandering_997

‎11-17-2009 02:01 AM

Hello Wandering,

You are welcome. In my opinion, clearing the ARP cache on the core switch did not affect anything in your case. It probably just coincided with the flushing of ARP cache on PC2 - they just happened to occur simultaneously. Give it another try :)

Best regards,

Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee

‎11-17-2009 12:40 AM

Hello Wandering,

The reason is that on Catalyst 3550 series switches, the MAC ACL applies only to non-IP traffic. While I cannot fully explain what happened to your network as you are stating that you have cleared the ARP entry on the 3560 switch which appears somewhat strange to me, my first hint is that the MAC ACL did not prevent the IP packets from flowing through the port fa0/28 on your 3550. However, it did prevent non-IP traffic, such as ARP communication, from passing through that port. I suspect that in the meantime, while you were doing other experiments, the MAC address of PC1 has simply expired on PC2 from its ARP cache. After the PC2 sent the ARP Request, the PC1 tried to answer by sending the ARP Response but the MAC ACL blocked it. That is why the PCs could not communicate - not because all frames were dropped from PC1 but rather because the PC2 was unable to resolve the PC1's MAC address.

Note that on different Catalyst platforms, the MAC ACLs behave differently. On 2950, for example, they apply to any traffic. The 3550 uses MAC ACLs to filter only non-IP traffic. On 2960 and 3560, the manual also says that they apply only to non-IP traffic but they also allow you to specify the EtherType. I do not know right now what would happen if you had a MAC ACL in place that would match on the Ethertype 0x0800 (the IP).

Perhaps this helps a bit. In doubt, refer to the Command Reference for your particular IOS version.

Best regards,

Peter

0 Helpful

Go to solution
wandering_997
Level 1
Level 1
In response to Peter Paluch

‎11-17-2009 12:54 AM

Hi Peter,

Thank you very much, I totally agree with you.

Yes, the MAC ACL only prevents the ARP traffic, that's enough, although we can configure static arp pair on PCs to skip this setting.

There's still some doubts, such as why clearing ARP on core can affect layer 2 communication, and so on...

Thanks a lot.

Wandering

0 Helpful

Go to solution
Peter Paluch
Cisco Employee
Cisco Employee
In response to wandering_997

‎11-17-2009 02:01 AM

Hello Wandering,

You are welcome. In my opinion, clearing the ARP cache on the core switch did not affect anything in your case. It probably just coincided with the flushing of ARP cache on PC2 - they just happened to occur simultaneously. Give it another try :)

Best regards,

Peter

0 Helpful

Go to solution
wandering_997
Level 1
Level 1
In response to Peter Paluch

‎11-19-2009 09:11 PM

Hi Peter,

You are right. And I cann't replay the issue again.

The MAC ACL gets to work after clearing the ARP cache on PC-2.

Thanks

Wandering

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card