Mac address access-lists filtering on Cisco 6500

Unanswered Question
Sep 19th, 2011

Hello,

I have a real problem understanding how mac address access-lists are working on a Cisco 6500. On lower end platforms (3560, 3550), I can have something like:

!

mac access-list extended STOPME

deny host 0000.1111.2222 any

permit any any

!

interface fa0/1

switchport mode access

switchport access vlan xx

mac access-group STOPME in

Then whatever connect to the port Fa0/1 with the mac 0000.1111.2222 cannot connect anywhere as traffic is filtered at L2.

I would expect that this stuff works on Cisco 65k, but it seems not. Cisco announce the mac filtering in so called PACL (Port ACL), on starting with IOS 12.2 SX and there is some documentation here:

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1039754

how to configure PACL with mac acccess-lists, but then they state the following:

A MAC access list filters ingress packets that are of an unsupported type (not IP, IPv6, ARP, or MPLS packets) based on the fields of the Ethernet datagram. A MAC access list is not applied to IP, IPv6, MPLS, or ARP messages. You can define only named MAC access lists

From this phrase I understand that mac access-list filtering on L2 ports in C6500 is not working for, let's say, well-known traffic.

I believe it's not working as we know it from 3560, 3550 (configured as L2/L3 switches) due to the ways packets are processed by SP / RP on 65k.

I know that I can do mac filtering with VACL, but that's not what I want to discuss here

Any of you found any utility to mac access-lists filtering on C6500? How or for what I suppose to use it on C6500?

Please let me know if I have misunderstood something after reading the above posted document and if indeed mac access-list is working on C6500 (to filer all traffic including IP).

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
aacole Wed, 09/21/2011 - 10:20

Hi, I was planning to use this feature in a new design, not actually tried it yet though. However I looked up Protocol Independent MAC ACL filtering on the Cisco feature navigator, I need it for a 6500 with sup720 running 12.2.33, apparently its supported in SXJ ipbase.

This is the description of the feature:

Protocol-independent MAC ACL filtering applies MAC ACLs to all ingress  traffic types (for example, IPv4 traffic, IPv6 traffic, and MPLS traffic, in  addition to MAC-layer traffic). I think this is the same feature you are talking about.

Andy

Actions

Login or Register to take actions

This Discussion

Posted September 19, 2011 at 6:19 AM
Stats:
Replies:1 Avg. Rating:
Views:8483 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 15,007
2 8,150
3 7,730
4 7,083
5 6,742
Rank Username Points
165
82
70
69
55