Showing results for 
Search instead for 
Did you mean: 

QOS ans mac access-list

mohamed louhab
Level 1
Level 1

Hi ,

in switch 2960s ( c2960s-universalk9-mz.122-55.SE5 ) , i want to marking the trafic between two hosts ( Data replication ), i choose to use " mac access-list"  to classify my trafic before apply the policy marking . but did'nt work . can you help me plz

!  my mac ACL

mac access-list extended test

permit host 000a.1a41.aa52 host 000a.1a41.1bc2


class-map match-all test

match access-group name test


! marking the trafic between tow hosts

policy-map test

class test

  set dscp af32

!  i apply the policy in intetface LAN

interface GigabitEthernet1/0/1

switchport mode trunk

service-policy input test

! 0 match in policy

sh policy-map interface gigabitEthernet 1/0/1


  Service-policy input: test

    Class-map: test (match-all)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: access-group name test

    Class-map: class-default (match-any)

      0 packets, 0 bytes

      5 minute offered rate 0 bps, drop rate 0 bps

      Match: any

        0 packets, 0 bytes

        5 minute rate 0 bps

! 0 match in mac acl

sh access-lists

Extended MAC access list test

    permit host 000a.1a41.aa52 host 000a.1a41.1bc2

thank you ,

4 Replies 4

Peter Paluch
Cisco Employee
Cisco Employee

Hello Mohamed,

On 2960-S switches, MAC ACLs apply only to non-IP traffic. An IP packet can only be matched by an IP ACL. Therefore, if the data replication traffic is IP-based, you can not use MAC ACLs, rather, you must modify your configuration to use IP ACLs.

Best regards,


Hello Peter ,

thank you for your reply .

yes , the data replication is IP-based , but the reason why I made mac ACL is that the IP ACL did not work, , i dont' any match in ACL and in Policy-map when i do IP ACL ( really i do the IP-ACL thousand times but in switch I do not understand why it does not work anymore ) .

1 ) is there something to activate in the switch so that it support IP ACL ??

2 ) is what I apply the QOS policy in interface layer 2 or i must applying in layer 3 interface to supporting IP ACL ??

thanak you for your time and help

Level 1
Level 1

Are these hosts on the same VLAN?  It will not work if they aren't as the destination MAC will be the next hop interface and not the destination host.

I recommend doing a port mirror on this port to capture the traffic and verify the MACs and then a port mirror of the port that the traffic is exting out of to see if the DSCP value is set.

Do a "show mls qos" to see the QoS status and trust state.

Hi Glenn ,

yes all the hosts in the some VLAN.

the QOS is enabled in Switch :

SW2960_A#sh mls qos

QoS is enabled

QoS ip packet dscp rewrite is enabled


i change the MAC-acl with IP-ACL but i still have the issue !!

thanks ,

Review Cisco Networking for a $25 gift card