11-11-2015 07:33 AM - edited 03-08-2019 02:39 AM
Hi everyone
I have a switch Catalyst 3560x with version 15.0(1)SE3 and i have created mac address access list, my goal is only the specified mac adresses on access list will allowed to join vlan or port, here a small segment of my acl:
access-list 700 permit ecf4.b114.0523 0000.0000.0000
access-list 700 permit 848f.6gb3.687a 0000.0000.0000
access-list 700 deny 0000.0000.0000 0000.0000.0000
When i try to apply into vlan or interface that is not possible because is not allowed the range of access list mac based:
switch(config-if)#ip access-group ?
<1-199> IP access list (standard or extended)
<1300-2699> IP expanded access list (standard or extended)
WORD Access-list name
Somebody have another idea for make this on my switch?
-Thanks a lot!!
11-11-2015 08:15 AM
Fixed with these:
Switch(config)# mac access-list extended allowed-list Switch(config-ext-macl)# permit host aaa.bbb.ccc.ddd any
Switch(config-ext-macl)# permit host eee.fff.ggg.hhh any Switch(config-ext-macl)# deny any any aarp Switch(config-ext-macl)# exit Switch(config)# interface GE0/12 Switch(config-if)# mac access-group allowed-list in Switch(config-if)# end Switch#
11-11-2015 08:21 AM
Hello,
Indeed, MAC ACLs on Catalyst switches are configured with mac access-list and applied to interfaces using mac access-group.
However, be careful that on any recent Catalyst platform (2960, 3560, 3750, ...), MAC ACLs only apply to non-IP traffic. If a frame carrying an IPv4 or an IPv6 packet is received on a port, the associated MAC ACL will not apply to this frame. To put it simply, an IP ACL applied to a port only impacts IP traffic, while a MAC ACL applied to a port only impacts non-IP traffic. There is no possibility of filtering frames carrying IPv4/6 packets using a MAC ACL.
Best regards,
Peter
11-11-2015 08:42 AM
Hello,
Please refer to Peter answer. Mac-access list only filter non-IP Traffic. Please check the link below.
"After you create a MAC ACL, you can apply it to a Layer 2 interface to filter non-IP traffic coming in that interface. When you apply the MAC ACL, consider these guidelines:"
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swacl.html#wp1289037
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide