Showing results for 
Search instead for 
Did you mean: 

QOS ans mac access-list

mohamed louhab

Hi ,

in switch 2960s ( c2960s-universalk9-mz.122-55.SE5 ) , i want to marking the trafic between two hosts ( Data replication ), i choose to use " mac access-list"  to classify my trafic before apply the policy marking . but did'nt work . can you help me plz

!  my mac ACL

mac access-list extended test

permit host 000a.1a41.aa52 host 000a.1a41.1bc2


class-map match-all test

match access-group name test


! marking the trafic between tow hosts

policy-map test

class test

  set dscp af32

!  i apply the policy in intetface LAN

interface GigabitEthernet1/0/1

switchport mode trunk

service-policy input test

! 0 match in policy

sh policy-map interface gigabitEthernet 1/0/1


  Service-policy input: test

    Class-map: test (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name test

    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any

        0 packets, 0 bytes

        5 minute rate 0 bps

! 0 match in mac acl

sh access-lists

Extended MAC access list test

    permit host 000a.1a41.aa52 host 000a.1a41.1bc2

thank you ,

4 Replies 4

Peter Paluch
Hall of Fame Cisco Employee Hall of Fame Cisco Employee
Hall of Fame Cisco Employee

Hello Mohamed,

On 2960-S switches, MAC ACLs apply only to non-IP traffic. An IP packet can only be matched by an IP ACL. Therefore, if the data replication traffic is IP-based, you can not use MAC ACLs, rather, you must modify your configuration to use IP ACLs.

Best regards,


Hello Peter ,

thank you for your reply .

yes , the data replication is IP-based , but the reason why I made mac ACL is that the IP ACL did not work, , i dont' any match in ACL and in Policy-map when i do IP ACL ( really i do the IP-ACL thousand times but in switch I do not understand why it does not work anymore ) .

1 ) is there something to activate in the switch so that it support IP ACL ??

2 ) is what I apply the QOS policy in interface layer 2 or i must applying in layer 3 interface to supporting IP ACL ??

thanak you for your time and help


Are these hosts on the same VLAN?  It will not work if they aren't as the destination MAC will be the next hop interface and not the destination host.

I recommend doing a port mirror on this port to capture the traffic and verify the MACs and then a port mirror of the port that the traffic is exting out of to see if the DSCP value is set.

Do a "show mls qos" to see the QoS status and trust state.

Hi Glenn ,

yes all the hosts in the some VLAN.

the QOS is enabled in Switch :

SW2960_A#sh mls qos

QoS is enabled

QoS ip packet dscp rewrite is enabled


i change the MAC-acl with IP-ACL but i still have the issue !!

thanks ,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers