Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

mac based acl not working


I created a mac based acl and applied to ports of  catalysts 3750 but any one not in this ACL below is also working and can get network access

Any idea what the issue is?

Extended MAC access list Test

    permit 001b.4f6f.0000 0000.0000.ffff any
    permit b4b0.1790.0000 0000.0000.ffff any
    permit b4b0.1792.0000 0000.0000.ffff any
    permit b4b0.1793.0000 0000.0000.ffff any

int fa 1/0/48

mac access-group test



Antonio Knox
Rising star

How many paths are available on this switch?  Are you certain that the traffic that you are attempting to filter are crossing this link (Gi1/0/48)?

Check spanning tree to ensure that the traffic that you applied this ACL to is actually where the traffic flows.

Please rate helpful posts.


This fa 1/0/48 is a user port

I am applying this acl so no one other than the mac's listed can acces the network via the port


Just to check this is not something really silly (because it should be by default), can you use the "in" at the end of the mac access-group statement like this:

mac access-group

Use the mac access-group interface configuration command on the switch stack or on a standalone switch to apply a MAC access control list (ACL) to a Layer 2 interface. Use the no form of this command to remove all MAC ACLs or the specified MAC ACL from the interface. You create the MAC ACL by using the mac access-list extended global configuration command.

mac access-group {name} in

no mac access-group {name}




I did that.

I think it works to some extend

The problem I see is if a mac that was already permitted in the acl is removed that mac continues to work if plugged in again untill I clear the mac table

You should only need to clear the specific mac in question (i.e. not all macs).

You might also want to take a look at port security:

As for clearing might be able to use some script in PHP or PERL or EXPECT where you can enter the mac address and it automatically connects to the switch and deletes it. It shouldn't be that hard to do if you have some scripting knowledge.



Thanks Ian...Yes..we dont need to clear all mac entries

Port security will work for most of the ports,but issue is that some users roam around (conference rooms etc) and hence ACL is a better option

Lastly scripting is good,but no one know scripting here

Then you will have to either:

1. Learn (scripting and linux + apache & php are always a good mix).

2. Increase your administrative duties (the least expensive way - always a good one for the boss).


3. Employ me (I'm on the dole ) hehe



Why not just configure secure mac addresses via port security?

int fa1/0/48

switchport port-security maximum 4

switchport port-security mac 001b.4f6f.0000

switchport port-security mac b4b0.1790.0000

switchport port-security mac b4b0.1792.0000

switchport port-security mac b4b0.1793.0000

switchport port-security violation shutdown

This could be a solution.

Please rate if helpful.

Message was edited by: Antonio Knox


Hi Tony,

Please note that MAC access-list will only match non-IP traffic, such as ARP. It will block ARP packets, therefore will block subsequent communications but with a static ARP entry in place, IP packets like ping will go through. So most likely pings were successful even after 'mac access-group' was applied because the ARP entry was complete and the server did not generate an ARP request until the arp entry was cleared due to timers, so therefore there would be a delay on the effectiveness of this MAC ACL.

Please refer to the Creating Named MAC Extended ACLs and Applying a MAC ACL to a Layer 2 Interface sections on the following link for more information:

With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.

The IP access list filters only IP packets, and the MAC access list filters non-IP packets.

As a workaround, you can apply both a MAC ACL to the L2 access ports (to filter ARP) and an IP ACL to the Vlan interface (to filter IP packets).

Best regards,