Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Correlation Between MAC ACL & IP ACL!

Hello,

In our network, we use MAC ACLs to control access to our network.

We have 2 interconnected distribution switches. HSRP runs on both switches and an IP ACL is activated on the SVIs in the inbound direction.

We found that the IP ACL applied to the SVI on the active gateway (SW1) is bypassed if the following conditions are met:

              - The host is directly connected to the active gateway

              - A MAC ACL is applied to the port

Below is an excerpt of the relevant configuration for VLAN 200 on SW1.

interface GigabitEthernet0/41

switchport access vlan 200

switchport mode access

mac access-group allowed-MAC-M-WIRELESS in

no cdp enable

spanning-tree portfast

spanning-tree guard root

interface Vlan200

  ip address 192.168.2.2 255.255.255.0

ip access-group acl_Vlan_Filter in

  no ip unreachables

  standby 2 ip 192.168.2.1

  standby 2 priority 200

  standby 2 preempt

Is the correlation we are seeing normal?

Thanks in advance for your feedback!

Frank

Everyone's tags (4)
1 REPLY
Cisco Employee

Correlation Between MAC ACL & IP ACL!

Hi Frank,

please share info about how those ACLs are configured (what they are supposed to do) and what you see instead.

You did not give us enough info to tell whether what you see is expected or not.

Also add info about switch model and IOS used.

Quick notation, on cisco switches MAC ACL are meant for NON IP traffic only (i.e. they don't affect IP traffic).

Riccardo

463
Views
10
Helpful
1
Replies
CreatePlease login to create content