Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Mac access-list not working in Cisco 4500

Unanswered Question
May 22nd, 2006
User Badges:


I am trying to use deny mac acl in the 4500 series switch runnning cisco IOS but the command seems to be not working.

Here is the command,

mac access-list extended ABC

deny host 0001.8052.25FF any

int f4/11

mac access-group ABC in

Is there anything I am missing or is it a bug.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Prashanth Krishnappa Tue, 05/23/2006 - 04:53
User Badges:
  • Cisco Employee,

What type of traffic are you trying to deny? Mac access-list applies only to non-IP traffic.

PS: Remember to rate useful posts.

sagar.shetty Wed, 05/24/2006 - 21:25
User Badges:

Hi Prashanth,

Thanks for the reply. I have been trying to restrict IP traffic based on mac access-list. I have already configured this on 2950 for allow access and it is working fine. But the same kind of access-list when put in 4500 doesnot seem to be working.

Basically, I want specific mac-address not to connect to the network.


AJAZ NAWAZ Thu, 05/25/2006 - 03:43
User Badges:
  • Silver, 250 points or more

Hello Sagar Shetty,

I just replied to another similar qtn. I'm cannot be certain as to why the mac acl is not working. It could be a number of reasons and 'bug' is most definately one of them.

Anyhow, have you considered using port based security?. If not take a read from the following url:



Ajaz Nawaz

Akshay Balaganur Fri, 03/22/2013 - 03:56
User Badges:
  • Events Top Contributors,


4500 the Mac access-list works a little different than 29XX and 37XX switches. Unlike 2K and 3k switches, here the ARP traffic is not blocked by default. We have to use the "arp-non-ipv4" suffix.


Dist-1#sh access-lists test1

Extended MAC access list test1

    deny   host 406c.8f58.9380 any protocol-family arp-non-ipv4

    permit any any

Agreed that Mac ACL doesn't block ipv4 traffic, but if we are using the ACL on edge access ports, blocking the ARP will stop the host from intializing and thus stops IPV4 as well.




This Discussion