Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4484
Views
0
Helpful
9
Replies

mac based acl not working

tonychayans
Level 1
Level 1

‎05-04-2011 07:36 AM - edited ‎03-06-2019 04:53 PM

Hi,

I created a mac based acl and applied to ports of  catalysts 3750 but any one not in this ACL below is also working and can get network access

Any idea what the issue is?

Extended MAC access list Test

    permit 001b.4f6f.0000 0000.0000.ffff any
    permit b4b0.1790.0000 0000.0000.ffff any
    permit b4b0.1792.0000 0000.0000.ffff any
    permit b4b0.1793.0000 0000.0000.ffff any

int fa 1/0/48

mac access-group test

Thanks

Tony

Labels:
0 Helpful
9 Replies 9

Antonio Knox
Level 7
Level 7

‎05-04-2011 08:09 AM

How many paths are available on this switch?  Are you certain that the traffic that you are attempting to filter are crossing this link (Gi1/0/48)?

Check spanning tree to ensure that the traffic that you applied this ACL to is actually where the traffic flows.

Please rate helpful posts.

0 Helpful

tonychayans
Level 1
Level 1
In response to Antonio Knox

‎05-04-2011 09:05 AM

Hi,

This fa 1/0/48 is a user port

I am applying this acl so no one other than the mac's listed can acces the network via the port

Thanks

0 Helpful

IAN WHITMORE
Level 4
Level 4
In response to tonychayans

‎05-04-2011 09:34 AM

Just to check this is not something really silly (because it should be by default), can you use the "in" at the end of the mac access-group statement like this:

mac access-group

Use the mac access-group interface configuration command on the switch stack or on a standalone switch to apply a MAC access control list (ACL) to a Layer 2 interface. Use the no form of this command to remove all MAC ACLs or the specified MAC ACL from the interface. You create the MAC ACL by using the mac access-list extended global configuration command.

mac access-group {name} in

no mac access-group {name}

Regards,

Ian

0 Helpful

tonychayans
Level 1
Level 1
In response to IAN WHITMORE

‎05-04-2011 09:37 AM

Hi,

I did that.

I think it works to some extend

The problem I see is if a mac that was already permitted in the acl is removed that mac continues to work if plugged in again untill I clear the mac table

0 Helpful

IAN WHITMORE
Level 4
Level 4
In response to tonychayans

‎05-04-2011 09:58 AM

You should only need to clear the specific mac in question (i.e. not all macs).

You might also want to take a look at port security:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.1_19_ea1/configuration/guide/swtrafc.html#wp1038501

As for clearing macs...you might be able to use some script in PHP or PERL or EXPECT where you can enter the mac address and it automatically connects to the switch and deletes it. It shouldn't be that hard to do if you have some scripting knowledge.

HTH,

Ian

0 Helpful

tonychayans
Level 1
Level 1
In response to IAN WHITMORE

‎05-04-2011 10:06 AM

Thanks Ian...Yes..we dont need to clear all mac entries

Port security will work for most of the ports,but issue is that some users roam around (conference rooms etc) and hence ACL is a better option

Lastly scripting is good,but no one know scripting here

0 Helpful

IAN WHITMORE
Level 4
Level 4
In response to tonychayans

‎05-04-2011 10:30 AM

Then you will have to either:

1. Learn (scripting and linux + apache & php are always a good mix).

2. Increase your administrative duties (the least expensive way - always a good one for the boss).

or

3. Employ me (I'm on the dole ) hehe

Regards,

Ian

0 Helpful

Antonio Knox
Level 7
Level 7
In response to tonychayans

‎05-04-2011 11:54 AM

Why not just configure secure mac addresses via port security?

int fa1/0/48

switchport port-security maximum 4

switchport port-security mac 001b.4f6f.0000

switchport port-security mac b4b0.1790.0000

switchport port-security mac b4b0.1792.0000

switchport port-security mac b4b0.1793.0000

switchport port-security violation shutdown

This could be a solution.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/port_sec.pdf

Please rate if helpful.

Message was edited by: Antonio Knox

0 Helpful

andtoth
Level 4
Level 4

‎05-04-2011 10:40 AM

Hi Tony,

Please note that MAC access-list will only match non-IP traffic, such as ARP. It will block ARP packets, therefore will block subsequent communications but with a static ARP entry in place, IP packets like ping will go through. So most likely pings were successful even after 'mac access-group' was applied because the ARP entry was complete and the server did not generate an ARP request until the arp entry was cleared due to timers, so therefore there would be a delay on the effectiveness of this MAC ACL.

Please refer to the Creating Named MAC Extended ACLs and Applying a MAC ACL to a Layer 2 Interface sections on the following link for more information:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swacl.html#wp1289037

With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.

The IP access list filters only IP packets, and the MAC access list filters non-IP packets.

As a workaround, you can apply both a MAC ACL to the L2 access ports (to filter ARP) and an IP ACL to the Vlan interface (to filter IP packets).

Best regards,

Andras

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card