I'm encompassed with doubt.
There are 2 switches, 3550 is a layer 2 switch, 3560 is a layer 3 switch, PC-1 and PC-2 are connected with 3550.
When I applied a MAC ACL on f0/28 of 3550, which is connected with PC-1. I found it didn't work.
mac access-list extended test
deny host abcd.abcd.abcd host 1234.1234.1234
permit any any
I pinged PC-2 from PC-1, and PC-2 replied.
But, when I cleared the ARP entry of PC-2 at 3560, then the ping process was interrupted. It seemed MAC ACL got to work.
Why this happened? Please help me.
You are welcome. In my opinion, clearing the ARP cache on the core switch did not affect anything in your case. It probably just coincided with the flushing of ARP cache on PC2 - they just happened to occur simultaneously. Give it another try :)
The reason is that on Catalyst 3550 series switches, the MAC ACL applies only to non-IP traffic. While I cannot fully explain what happened to your network as you are stating that you have cleared the ARP entry on the 3560 switch which appears somewhat strange to me, my first hint is that the MAC ACL did not prevent the IP packets from flowing through the port fa0/28 on your 3550. However, it did prevent non-IP traffic, such as ARP communication, from passing through that port. I suspect that in the meantime, while you were doing other experiments, the MAC address of PC1 has simply expired on PC2 from its ARP cache. After the PC2 sent the ARP Request, the PC1 tried to answer by sending the ARP Response but the MAC ACL blocked it. That is why the PCs could not communicate - not because all frames were dropped from PC1 but rather because the PC2 was unable to resolve the PC1's MAC address.
Note that on different Catalyst platforms, the MAC ACLs behave differently. On 2950, for example, they apply to any traffic. The 3550 uses MAC ACLs to filter only non-IP traffic. On 2960 and 3560, the manual also says that they apply only to non-IP traffic but they also allow you to specify the EtherType. I do not know right now what would happen if you had a MAC ACL in place that would match on the Ethertype 0x0800 (the IP).
Perhaps this helps a bit. In doubt, refer to the Command Reference for your particular IOS version.