MAC ACL doesn't work on 4507

Unanswered Question
Apr 29th, 2008

Greetings, all. I am attempting to spin a special QoS configuration in our 4507's for a non-Cisco IP phone, specifically the Aspect TeleSet3. They work well, but...

This phone has a PC port and does 802.1q tagging, but naturally does not use CDP, so the trusted boundary functions provided by "qos trust device cisco-phone" will not apply. The Aspect phones must coexist with Cisco phones on the same switch and VLAN, so I have decided to attack this at the port level.

My idea? By applying a policy map with a MAC ACL on the switch port, the MAC from the phone will be matched and its packets trusted, while MAC from the PC will not be matched, and its packets marked down to 0.

The problem? The MAC ACL doesn't match packets, even when the permit statement has a full host MAC address. Sniffer captures, "show policy-map", and "show access-list" confirm this. The service policy works, however, because all the packets are marked down to 0.

Here's a config extract:

!----------------------------------------

!

mac access-list extended QOS-ASPECT

permit 0090.f300.0000 0000.00ff.ffff any

!

class-map match-any QOS-ASPECT

match access-group name QOS-ASPECT

!

policy-map QOS-ASPECT

description : ASPECT INPUT POLICY

class QOS-ASPECT

trust cos

class-default

set dscp default

!

!----------------------------------------

!

policy-map QOS-ACCESS

description : ACCESS OUTPUT POLICY

class class-default

dbl

!

!----------------------------------------

!

interface [slot/port]

description : ACCESS PORT

switchport mode access

switchport access vlan [data_VLAN]

switchport voice vlan [voice_VLAN]

qos trust cos

tx-queue 3

priority high

shape percent 33

service-policy output QOS-ACCESS

service-policy input QOS-ASPECT

!

!----------------------------------------

Ideas? Call TAC? (ARGH).

Thanks,

Rick -Z-

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tstanik Tue, 05/06/2008 - 05:36

You can filter non-IP traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs. But, Named MAC extended ACLs cannot be applied to Layer 3 interfaces.For more information about the supported non-IP protocols in the mac access-list extended command, refer to the command reference for this release.

Refer the below URL for the ACL on 4500 series :

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/secure.html

Actions

This Discussion