Cisco Support Community
Community Member

MAC Access-list extended to only allow Gateway traffic

I have the following scenario

We have a gateway on a 4503, say on port 2/1, and we only want the other devices that are plugged into the 4503 to be able to talk to the gateway and thats it.  The other devices are Motorola TUT DSL devices and they plug into the 4503 directly.

Normally "switchport protected" would make this very easy to keep stuff on one port from talking to other ports but with 4500's you are not able to do that command.  So we implemented a MAC Access-List Extended ACL.  Here is what we did

mac access-list extended BLAH

permit host 0000.XXXX.YYYY any

interface range fa 2/5 - 20

mac access-group BLAH out

The MAC address 0000.XXXX.YYYY is the MAC address of the gateway that is plugged into Fa2/1 and the DSL TUT devices are plugged into ports Fa2/5-20.  We would think that this config would only allow devices on the TUT DSL to talk only to the Gateway but we don't really think this is happening.  The TUT devices are learning about MAC addresses that are on other TUT devices.  Are we missing something here?

Everyone's tags (3)

MAC Access-list extended to only allow Gateway traffic


if you're applying a Port ACL to a L2 port then it can only be applied inbound and a MAC ACL will only filter non IP traffic.

I think you should either do a VACL with the mac access-list you configured or configure PVLAN with putting the port to gateway as promiscuous and other ports where your devices are connected as isolated ports.You'll also have to put your switch into VTP transparent mode to support this feature.

Here is a link for PVLAN:

And another one for VACL:



Don't forget to rate helpful posts.
CreatePlease to create content