MAC Extended ACL

Tracey Foster · ‎05-07-2012

I have HSRP running in my core between 2 routers and a switch connected to both. From my switch, I have VLANs going to end switches. I am seeing the HSPR broadcast going out all ports (as it should). I want to deny this traffic from going out to the end point switches.

I have configured a MAC Extended ACL and applied it to the ports; I say ports as first I applied at the core switch and still saw the MAC at the end switch, then I applied to the end switch and still see the MAC. What an I doing wrong? Am I missing something?

Any help would be greatly appriecated!

Tracey

Configs:

SwitcVLAN12

mac access-list extended Limit-HSRP

deny host 0000.0c07.ac0a any

permit any any

interface GigabitEthernet0/1

switchport mode trunk

mac access-group Limit-HSRP in

SwitchVlan12#sh mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

50 0000.0c07.ac32 DYNAMIC Gi0/1

50 70ca.9b15.bfda DYNAMIC Gi0/1

50 a44c.112f.3503 DYNAMIC Gi0/1

10 0000.0c07.ac0a DYNAMIC Gi0/1

10 70ca.9b15.bfda DYNAMIC Gi0/1

11 0000.0c07.ac0b DYNAMIC Gi0/1

11 70ca.9b15.bfda DYNAMIC Gi0/1

12 0000.0c07.ac00 DYNAMIC Gi0/1

12 70ca.9b15.bfda DYNAMIC Gi0/1

13 0000.0c07.ac0d DYNAMIC Gi0/1

13 70ca.9b15.bfda DYNAMIC Gi0/1

Switch1

mac access-list extended Limit-HSRP

deny host 0000.0c07.ac0a any

permit any any

interface GigabitEthernet1/0/3

description connection to GCSSwVlan12

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10-31,50,80,100,200

switchport mode trunk

mac access-group Limit-HSRP in

Sw1#sh mac address-table

Mac Address Table

-------------------------------------------

Vlan Mac Address Type Ports

---- ----------- -------- -----

10 0000.0c07.ac0a DYNAMIC Gi1/0/23

10 68bc.0cba.6909 DYNAMIC Gi1/0/3

10 70ca.9b15.bfda DYNAMIC Gi1/0/24

11 0000.0c07.ac0b DYNAMIC Gi1/0/23

11 68bc.0cba.6909 DYNAMIC Gi1/0/3

11 70ca.9b15.bfda DYNAMIC Gi1/0/24

12 0000.0c07.ac00 DYNAMIC Gi1/0/23

12 68bc.0cba.6909 DYNAMIC Gi1/0/3

12 70ca.9b15.bfda DYNAMIC Gi1/0/24

13 0000.0c07.ac0d DYNAMIC Gi1/0/23

13 68bc.0cba.6909 DYNAMIC Gi1/0/3

13 70ca.9b15.bfda DYNAMIC Gi1/0/24

Tracey Foster · ‎05-07-2012

I made the following changes and still get the same results! What am I doing wrong????

Switch1
mac access-list extended Limit-HSRP
deny any host 0000.0c07.ac0a
permit any any

interface GigabitEthernet1/0/3
description connection to GCSSwVlan12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10-31,50,80,100,200
switchport mode trunk
mac access-group Limit-HSRP in

Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
10    0000.0c07.ac0a    DYNAMIC     Gi1/0/23
Total Mac Addresses for this criterion: 1

SwitchVALN12
mac access-list extended Limit-HSRP
deny any host 0000.0c07.ac0a
permit any any

interface GigabitEthernet0/1
switchport mode trunk
mac access-group Limit-HSRP in

Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
10    0000.0c07.ac0a    DYNAMIC     Gi0/1
Total Mac Addresses for this criterion: 1