MAC ACL doesn't work on 4507

Unanswered Question
Apr 29th, 2008
User Badges:

Greetings, all. I am attempting to spin a special QoS configuration in our 4507's for a non-Cisco IP phone, specifically the Aspect TeleSet3. They work well, but...

This phone has a PC port and does 802.1q tagging, but naturally does not use CDP, so the trusted boundary functions provided by "qos trust device cisco-phone" will not apply. The Aspect phones must coexist with Cisco phones on the same switch and VLAN, so I have decided to attack this at the port level.

My idea? By applying a policy map with a MAC ACL on the switch port, the MAC from the phone will be matched and its packets trusted, while MAC from the PC will not be matched, and its packets marked down to 0.

The problem? The MAC ACL doesn't match packets, even when the permit statement has a full host MAC address. Sniffer captures, "show policy-map", and "show access-list" confirm this. The service policy works, however, because all the packets are marked down to 0.

Here's a config extract:



mac access-list extended QOS-ASPECT

permit 0090.f300.0000 0000.00ff.ffff any


class-map match-any QOS-ASPECT

match access-group name QOS-ASPECT


policy-map QOS-ASPECT



trust cos


set dscp default




policy-map QOS-ACCESS


class class-default





interface [slot/port]

description : ACCESS PORT

switchport mode access

switchport access vlan [data_VLAN]

switchport voice vlan [voice_VLAN]

qos trust cos

tx-queue 3

priority high

shape percent 33

service-policy output QOS-ACCESS

service-policy input QOS-ASPECT



Ideas? Call TAC? (ARGH).


Rick -Z-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tstanik Tue, 05/06/2008 - 05:36
User Badges:
  • Bronze, 100 points or more

You can filter non-IP traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs. But, Named MAC extended ACLs cannot be applied to Layer 3 interfaces.For more information about the supported non-IP protocols in the mac access-list extended command, refer to the command reference for this release.

Refer the below URL for the ACL on 4500 series :


This Discussion