- Silver, 250 points or more
I have a real problem understanding how mac address access-lists are working on a Cisco 6500. On lower end platforms (3560, 3550), I can have something like:
mac access-list extended STOPME
deny host 0000.1111.2222 any
permit any any
switchport mode access
switchport access vlan xx
mac access-group STOPME in
Then whatever connect to the port Fa0/1 with the mac 0000.1111.2222 cannot connect anywhere as traffic is filtered at L2.
I would expect that this stuff works on Cisco 65k, but it seems not. Cisco announce the mac filtering in so called PACL (Port ACL), on starting with IOS 12.2 SX and there is some documentation here:
how to configure PACL with mac acccess-lists, but then they state the following:
A MAC access list filters ingress packets that are of an unsupported type (not IP, IPv6, ARP, or MPLS packets) based on the fields of the Ethernet datagram. A MAC access list is not applied to IP, IPv6, MPLS, or ARP messages. You can define only named MAC access lists
From this phrase I understand that mac access-list filtering on L2 ports in C6500 is not working for, let's say, well-known traffic.
I believe it's not working as we know it from 3560, 3550 (configured as L2/L3 switches) due to the ways packets are processed by SP / RP on 65k.
I know that I can do mac filtering with VACL, but that's not what I want to discuss here
Any of you found any utility to mac access-lists filtering on C6500? How or for what I suppose to use it on C6500?
Please let me know if I have misunderstood something after reading the above posted document and if indeed mac access-list is working on C6500 (to filer all traffic including IP).