Showing results for 
Search instead for 
Did you mean: 
Join Customer Connection to register!

MAC Filtering in Catalyst 3750 (with IP Base IOS)


I got a Catalyst 3750 working with the IP features IOS.

I tried to configure some MAC filters in a couple interfaces and they seem not to work properly...

The scenario is the following. I got 4 busses (hubs) that are connected to a bridge. The bridge has to be changed because it is defective. It is a Hirschmann bridge with some strange proprietary filters that could be only implemented in it.

There is actually no replacement for this device, and I thought I could use a Catalyst for it. Since in each port of the bridge will be connected to a hub, some access lists have to be implemented.

This is the configuration example of one of the lists:

mac access-list extended filter1
deny host 0800.0601.1201 any
deny host 0800.0601.1202 any
deny host 0800.0601.1203 any
deny host 0800.0601.1204 any
deny host 0800.0601.1205 any
deny host 0800.0601.1206 any
deny host 0800.0601.1207 any
deny host 0800.0601.1208 any
deny host 0800.0601.1209 any
deny host 0800.0601.1210 any
deny host 0800.0601.1211 any
deny host 0800.0601.1212 any
deny host 0800.0601.1213 any
deny host 0800.0601.1214 any
deny host 0800.0601.1215 any
deny host 0800.0601.1216 any
deny host 0800.0601.1217 any
deny host 0800.0601.1218 any
deny host 0800.0601.1219 any
deny host 0800.0601.1220 any
permit any any

interface GigabitEthernet1/0/1
switchport access vlan 10
switchport mode access
speed auto
mac access-group filter1 in
no shutdown

The problem is that sometimes it works, sometimes does not, sometimes after restart works and minutes later stop working....

I do not really know what the issue can be!

thanks for your help!

best regards,


Nagendra Kumar Nainar
Cisco Employee

Hi Fabio,

MAC ACL is only for non-IP traffic. To my knowledge, it is not suppose to work for IP traffic. But in some cases, ARP packets will be affected by MAC ACL and will appear to influence IP traffic.

You need to try IP ACL for IP traffic.



Hi Nagendra,

thanks for your answer.

I know that MAC ACL is not suitable for IP traffic... Furthermore, I do not talk about IP filtering in my problem description.

I only said that the switch is runing the IP-Base IOS version.

best regards,


Hello Fabio,

port security can be the right tool for this job : you can specify  what MAC addresses are expected on each of the four ports with an action restrict.

this should be effective allowing traffic only coming from intended hosts.

Hope to help


Hi Giuseppe,

thanks for the idea. I already had thought about it. But, how many addresses can be maximum defined pro port? Or can address ranges be defined? For example 00:00:00:00:00:00 to 00:00:00:00:FF:FF. That's a lot of addresses to be configured individually...

On the other hand, these filters that are defined in the Hirschmann Bridge are not only INBOUND filters, but OUTBOUND filters also. Port security can't help in here, am I right?