05-04-2011 07:36 AM - edited 03-06-2019 04:53 PM
Hi,
I created a mac based acl and applied to ports of catalysts 3750 but any one not in this ACL below is also working and can get network access
Any idea what the issue is?
Extended MAC access list Test
permit 001b.4f6f.0000 0000.0000.ffff any
permit b4b0.1790.0000 0000.0000.ffff any
permit b4b0.1792.0000 0000.0000.ffff any
permit b4b0.1793.0000 0000.0000.ffff any
int fa 1/0/48
mac access-group test
Thanks
Tony
05-04-2011 08:09 AM
How many paths are available on this switch? Are you certain that the traffic that you are attempting to filter are crossing this link (Gi1/0/48)?
Check spanning tree to ensure that the traffic that you applied this ACL to is actually where the traffic flows.
Please rate helpful posts.
05-04-2011 09:05 AM
Hi,
This fa 1/0/48 is a user port
I am applying this acl so no one other than the mac's listed can acces the network via the port
Thanks
05-04-2011 09:34 AM
Just to check this is not something really silly (because it should be by default), can you use the "in" at the end of the mac access-group statement like this:
Use the mac access-group interface configuration command on the switch stack or on a standalone switch to apply a MAC access control list (ACL) to a Layer 2 interface. Use the no form of this command to remove all MAC ACLs or the specified MAC ACL from the interface. You create the MAC ACL by using the mac access-list extended global configuration command.
mac access-group {name} in
no mac access-group {name}
Regards,
Ian
05-04-2011 09:37 AM
Hi,
I did that.
I think it works to some extend
The problem I see is if a mac that was already permitted in the acl is removed that mac continues to work if plugged in again untill I clear the mac table
05-04-2011 09:58 AM
You should only need to clear the specific mac in question (i.e. not all macs).
You might also want to take a look at port security:
As for clearing macs...you might be able to use some script in PHP or PERL or EXPECT where you can enter the mac address and it automatically connects to the switch and deletes it. It shouldn't be that hard to do if you have some scripting knowledge.
HTH,
Ian
05-04-2011 10:06 AM
Thanks Ian...Yes..we dont need to clear all mac entries
Port security will work for most of the ports,but issue is that some users roam around (conference rooms etc) and hence ACL is a better option
Lastly scripting is good,but no one know scripting here
05-04-2011 10:30 AM
Then you will have to either:
1. Learn (scripting and linux + apache & php are always a good mix).
2. Increase your administrative duties (the least expensive way - always a good one for the boss).
or
3. Employ me (I'm on the dole ) hehe
Regards,
Ian
05-04-2011 11:54 AM
Why not just configure secure mac addresses via port security?
int fa1/0/48
switchport port-security maximum 4
switchport port-security mac 001b.4f6f.0000
switchport port-security mac b4b0.1790.0000
switchport port-security mac b4b0.1792.0000
switchport port-security mac b4b0.1793.0000
switchport port-security violation shutdown
This could be a solution.
Please rate if helpful.
Message was edited by: Antonio Knox
05-04-2011 10:40 AM
Hi Tony,
Please note that MAC access-list will only match non-IP traffic, such as ARP. It will block ARP packets, therefore will block subsequent communications but with a static ARP entry in place, IP packets like ping will go through. So most likely pings were successful even after 'mac access-group' was applied because the ARP entry was complete and the server did not generate an ARP request until the arp entry was cleared due to timers, so therefore there would be a delay on the effectiveness of this MAC ACL.
Please refer to the Creating Named MAC Extended ACLs and Applying a MAC ACL to a Layer 2 Interface sections on the following link for more information:
With port ACLs, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC addresses. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP access list and a MAC access list to the interface.
The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
As a workaround, you can apply both a MAC ACL to the L2 access ports (to filter ARP) and an IP ACL to the Vlan interface (to filter IP packets).
Best regards,
Andras
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide