cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3698
Views
0
Helpful
9
Replies
Beginner

mac based acl not working

Hi,

I created a mac based acl and applied to ports of  catalysts 3750 but any one not in this ACL below is also working and can get network access

Any idea what the issue is?

Extended MAC access list Test

    permit 001b.4f6f.0000 0000.0000.ffff any
    permit b4b0.1790.0000 0000.0000.ffff any
    permit b4b0.1792.0000 0000.0000.ffff any
    permit b4b0.1793.0000 0000.0000.ffff any

int fa 1/0/48

mac access-group test

Thanks

Tony

Everyone's tags (6)
9 REPLIES 9
Highlighted
Rising star

Re: mac based acl not working

How many paths are available on this switch?  Are you certain that the traffic that you are attempting to filter are crossing this link (Gi1/0/48)?

Check spanning tree to ensure that the traffic that you applied this ACL to is actually where the traffic flows.

Please rate helpful posts.

Highlighted
Beginner

Re: mac based acl not working

Hi,

This fa 1/0/48 is a user port

I am applying this acl so no one other than the mac's listed can acces the network via the port

Thanks

Highlighted
Enthusiast

Re: mac based acl not working

Just to check this is not something really silly (because it should be by default), can you use the "in" at the end of the mac access-group statement like this:

mac access-group

Use the mac access-group interface configuration command on the switch stack or on a standalone switch to apply a MAC access control list (ACL) to a Layer 2 interface. Use the no form of this command to remove all MAC ACLs or the specified MAC ACL from the interface. You create the MAC ACL by using the mac access-list extended global configuration command.

mac access-group {name} in

no mac access-group {name}

Regards,

Ian

Highlighted
Beginner

Re: mac based acl not working

Hi,

I did that.

I think it works to some extend

The problem I see is if a mac that was already permitted in the acl is removed that mac continues to work if plugged in again untill I clear the mac table

Highlighted
Enthusiast

Re: mac based acl not working

You should only need to clear the specific mac in question (i.e. not all macs).

You might also want to take a look at port security:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.1_19_ea1/configuration/guide/swtrafc.html#wp1038501

As for clearing macs...you might be able to use some script in PHP or PERL or EXPECT where you can enter the mac address and it automatically connects to the switch and deletes it. It shouldn't be that hard to do if you have some scripting knowledge.

HTH,

Ian

Highlighted
Beginner

Re: mac based acl not working

Thanks Ian...Yes..we dont need to clear all mac entries

Port security will work for most of the ports,but issue is that some users roam around (conference rooms etc) and hence ACL is a better option

Lastly scripting is good,but no one know scripting here

Highlighted
Enthusiast

Re: mac based acl not working

Then you will have to either:

1. Learn (scripting and linux + apache & php are always a good mix).

2. Increase your administrative duties (the least expensive way - always a good one for the boss).

or

3. Employ me (I'm on the dole ) hehe

Regards,

Ian

Highlighted
Rising star

Re: mac based acl not working

Why not just configure secure mac addresses via port security?

int fa1/0/48

switchport port-security maximum 4

switchport port-security mac 001b.4f6f.0000

switchport port-security mac b4b0.1790.0000

switchport port-security mac b4b0.1792.0000

switchport port-security mac b4b0.1793.0000

switchport port-security violation shutdown

This could be a solution.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.pdf

Please rate if helpful.

Message was edited by: Antonio Knox

Highlighted
Enthusiast

Re: mac based acl not working

Hi Tony,

Please note that MAC access-list will only match non-IP traffic, such as ARP. It will block ARP packets, therefore will block subsequent communications but with a static ARP entry in place, IP packets like ping will go through. So most likely pings were successful even after 'mac access-group' was applied because the ARP entry was complete and the server did not generate an ARP request until the arp entry was cleared due to timers, so therefore there would be a delay on the effectiveness of this MAC ACL.

Please refer to the Creating Named MAC Extended ACLs and Applying a MAC ACL to a Layer 2 Interface sections on the following link for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swacl.html#wp1289037

With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.

The IP access list filters only IP packets, and the MAC access list filters non-IP packets.

As a workaround, you can apply both a MAC ACL to the L2 access ports (to filter ARP) and an IP ACL to the Vlan interface (to filter IP packets).

Best regards,

Andras

CreatePlease to create content
Content for Community-Ad