cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
713
Views
10
Helpful
1
Replies

Correlation Between MAC ACL & IP ACL!

fntowo2009
Level 1
Level 1

Hello,

In our network, we use MAC ACLs to control access to our network.

We have 2 interconnected distribution switches. HSRP runs on both switches and an IP ACL is activated on the SVIs in the inbound direction.

We found that the IP ACL applied to the SVI on the active gateway (SW1) is bypassed if the following conditions are met:

              - The host is directly connected to the active gateway

              - A MAC ACL is applied to the port

Below is an excerpt of the relevant configuration for VLAN 200 on SW1.

interface GigabitEthernet0/41

switchport access vlan 200

switchport mode access

mac access-group allowed-MAC-M-WIRELESS in

no cdp enable

spanning-tree portfast

spanning-tree guard root

interface Vlan200

  ip address 192.168.2.2 255.255.255.0

ip access-group acl_Vlan_Filter in

  no ip unreachables

  standby 2 ip 192.168.2.1

  standby 2 priority 200

  standby 2 preempt

Is the correlation we are seeing normal?

Thanks in advance for your feedback!

Frank

1 Reply 1

rsimoni
Cisco Employee
Cisco Employee

Hi Frank,

please share info about how those ACLs are configured (what they are supposed to do) and what you see instead.

You did not give us enough info to tell whether what you see is expected or not.

Also add info about switch model and IOS used.

Quick notation, on cisco switches MAC ACL are meant for NON IP traffic only (i.e. they don't affect IP traffic).

Riccardo

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: