Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3215
Views
0
Helpful
3
Replies

vlan restricted to mac address access-list

Shakespeare Rodas
Level 1
Level 1

‎11-11-2015 07:33 AM - edited ‎03-08-2019 02:39 AM

Hi everyone

I have a switch Catalyst 3560x with version 15.0(1)SE3 and i have created mac address access list, my goal is only the specified mac adresses on access list will allowed to join vlan or port, here a small segment of my acl:

access-list 700 permit ecf4.b114.0523 0000.0000.0000
access-list 700 permit 848f.6gb3.687a 0000.0000.0000
access-list 700 deny 0000.0000.0000 0000.0000.0000

When i try to apply into vlan or interface that is not possible because is not allowed the range of access list mac based:

switch(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name

Somebody have another idea for make this on my switch?

-Thanks a lot!!

1 person had this problem
Labels:
0 Helpful
3 Replies 3

Shakespeare Rodas
Level 1
Level 1

‎11-11-2015 08:15 AM

Fixed with these:

Switch(config)# mac access-list extended allowed-list
Switch(config-ext-macl)# permit host aaa.bbb.ccc.ddd any
Switch(config-ext-macl)# permit host eee.fff.ggg.hhh any
Switch(config-ext-macl)# deny any any aarp
Switch(config-ext-macl)# exit
Switch(config)# interface GE0/12
Switch(config-if)# mac access-group allowed-list in
Switch(config-if)# end
Switch#
0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Shakespeare Rodas

‎11-11-2015 08:21 AM

Hello,

Indeed, MAC ACLs on Catalyst switches are configured with mac access-list and applied to interfaces using mac access-group.

However, be careful that on any recent Catalyst platform (2960, 3560, 3750, ...), MAC ACLs only apply to non-IP traffic. If a frame carrying an IPv4 or an IPv6 packet is received on a port, the associated MAC ACL will not apply to this frame. To put it simply, an IP ACL applied to a port only impacts IP traffic, while a MAC ACL applied to a port only impacts non-IP traffic. There is no possibility of filtering frames carrying IPv4/6 packets using a MAC ACL.

Best regards,
Peter

0 Helpful

Masoud Pourshabanian
VIP Alumni
VIP Alumni

‎11-11-2015 08:42 AM

Hello,

Please refer to Peter answer. Mac-access list only filter non-IP Traffic.  Please check the link below.

"After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines:"

http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swacl.html#wp1289037

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card