09-19-2011 06:19 AM - edited 03-07-2019 02:18 AM
Hello,
I have a real problem understanding how mac address access-lists are working on a Cisco 6500. On lower end platforms (3560, 3550), I can have something like:
!
mac access-list extended STOPME
deny host 0000.1111.2222 any
permit any any
!
interface fa0/1
switchport mode access
switchport access vlan xx
mac access-group STOPME in
Then whatever connect to the port Fa0/1 with the mac 0000.1111.2222 cannot connect anywhere as traffic is filtered at L2.
I would expect that this stuff works on Cisco 65k, but it seems not. Cisco announce the mac filtering in so called PACL (Port ACL), on starting with IOS 12.2 SX and there is some documentation here:
how to configure PACL with mac acccess-lists, but then they state the following:
A MAC access list filters ingress packets that are of an unsupported type (not IP, IPv6, ARP, or MPLS packets) based on the fields of the Ethernet datagram. A MAC access list is not applied to IP, IPv6, MPLS, or ARP messages. You can define only named MAC access lists
From this phrase I understand that mac access-list filtering on L2 ports in C6500 is not working for, let's say, well-known traffic.
I believe it's not working as we know it from 3560, 3550 (configured as L2/L3 switches) due to the ways packets are processed by SP / RP on 65k.
I know that I can do mac filtering with VACL, but that's not what I want to discuss here
Any of you found any utility to mac access-lists filtering on C6500? How or for what I suppose to use it on C6500?
Please let me know if I have misunderstood something after reading the above posted document and if indeed mac access-list is working on C6500 (to filer all traffic including IP).
Thanks!
09-21-2011 10:20 AM
Hi, I was planning to use this feature in a new design, not actually tried it yet though. However I looked up Protocol Independent MAC ACL filtering on the Cisco feature navigator, I need it for a 6500 with sup720 running 12.2.33, apparently its supported in SXJ ipbase.
This is the description of the feature:
Protocol-independent MAC ACL filtering applies MAC ACLs to all ingress traffic types (for example, IPv4 traffic, IPv6 traffic, and MPLS traffic, in addition to MAC-layer traffic). I think this is the same feature you are talking about.
Andy
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide