Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2674
Views
0
Helpful
4
Replies

Mac ACL not working with 2960

sagar.shetty
Level 1
Level 1

‎09-12-2006 05:23 AM - edited ‎03-05-2019 12:02 PM

Hi,

I have a 2960 with LAN Base image. It seems that it allows all the mac-address apart from that provided in the Mac ACL.

My idea is to allow only the mac-address applied in the ACL. I have other 2950 switches which are working fine with this type of ACLs.

Any solns if anybody has..

Regards,

Labels:
0 Helpful
4 Replies 4

rajinikanth
Level 3
Level 3

‎09-12-2006 05:43 AM

Hi,

Even though the command syntax is the same on the Catalyst 2960 switch and on the Catalyst 2950 switch, the semantics of the IP and the MAC ACL between the two platforms differ. For example, you can apply MAC ACLs for IP packets on the Catalyst 2950 switch, but on the Catalyst 2960 switch:

?You cannot apply MAC ACLs to IP packets.

?You cannot apply any ACLs for IPv6 frames.

?With MAC ACLs, an Ethertype of Appletalk is not supported.

There might be some config problem can u post ur configuration

and also can u tell me ur IOS type

Thanks

Raj

0 Helpful

sagar.shetty
Level 1
Level 1
In response to rajinikanth

‎09-12-2006 08:58 PM

Hi,

The IOS I am using is c2960-lanbase-mz.122-25.FX.bin

mac access-list extended Infy6

permit host 0014.2233.cb70 any

permit host 0003.6b8b.0e37 any

permit host 0008.0d7b.7bf2 any

permit host 0008.0d57.7df2 any

interface FastEthernet0/42

switchport access vlan 84

switchport mode access

dot1x port-control auto

mac access-group Infy6 in

spanning-tree portfast

end

Any mac-address connected to this port is able to connect to the network.

Regards

Sagar

0 Helpful

rajinikanth
Level 3
Level 3
In response to sagar.shetty

‎09-12-2006 10:08 PM

Hi,

your command

mac access-list extended Infy6

permit host 0014.2233.cb70 any

Will block communication with this MAC TO ANY.

Try to use the deny command instead of permit and at the end use the command

permit any any

for ur example it would be

mac access-list extended Infy6

deny 0014.2233.cb70 any

deny 0003.6b8b.0e37 any

deny 0008.0d7b.7bf2 any

deny 0008.0d57.7df2 any

permit any any

HTH ,

Please tell me if it works.

Thanks

Raj

0 Helpful

cklomp
Level 1
Level 1

‎09-15-2006 05:56 AM

Sagar,

What kind of traffic do you try to block?

Note the following passage in the Command reference:

On Layer 2 interfaces, you can filter IP traffic by using IP access lists and non-IP traffic by using MAC access lists. You can filter both IP and non-IP traffic on the same Layer 2 interface by applying both an IP ACL and a MAC ACL to the interface.

Hope this helps, Chris.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card