Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
956
Views
0
Helpful
2
Replies

MAC Access-List

Eduardo Corzo
Level 1
Level 1

‎07-25-2013 08:52 AM - edited ‎03-07-2019 02:35 PM

Hello friends, I write these lines because an issue with mac acl. I have a Cisco 6513 and I want to configure a simple mac acl to permit the traffic between a virtual machine (VM) and a rackeable server (RS) and block the traffic between my network and RS. So, this is the parameters:

VM: connected to Cisco 6513 in 4/15 - mac add a.b.c.d - ip add 10.0.0.1/16

RS: connected to Cisco 6513 in 6/48 - mac add w.x.y.z - ip add 10.0.0.2/16

My Computer: connected to an access switch - mac j.k.l.m - ip add 172.0.10.3/16

Then, I configure this:

6513(config)#mac access-list extended Test

6513(config-ext-macl)#permit host a.b.c.d host w.x.y.z

6513(config-ext-macl)#deny any any

6513(config)#int Gi6/48

6513(config-if)#mac access-group Test in

Once the configuration was finished, I tried to ping from my computer and got replies! Well, I though it was because the equipments were in differents modules, and I changed the RS from 6/48 to 4/38, but my acl didn't work.

Any ideas of what can I do? or maybe my acl is incorrect, or I migh use something special on Cisco 6513 in order to make the acl work.

Thanks a lot for your answers!

P.D.: I must said that I tried the same scenario on my test access switch (Cisco 3560) and the acl work perfectly

Labels:
0 Helpful
2 Replies 2

cadet alain
VIP Alumni
VIP Alumni

‎07-25-2013 09:57 AM

Hi,

I wonder how you made it work on the 3560 because MAC ACL can only filter some non-IPv4 traffic but not IPv4 traffic.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

Eduardo Corzo
Level 1
Level 1
In response to cadet alain

‎07-25-2013 10:11 AM

Uhm..well actually that's a good question, haha

When I add the mac acl on the interface where the RS is installed (on the 3560) I can't ping the RS from the network, just from the VM. In the other hand, when I put "no mac access-list" on the interface, the ping work perfectly from the network (and, of course, from the VM).

There's not other acl on the 3560 or some like that, I assume this happens because the mac acl views the bytes from ethernet and takes the mac when des-encapsulates the packet, that's why doesn't matter what kind of IP packet I send, I've never been able to reach RS beacuse of the mac acl.

How I said, it's the same scenario but in access layer

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card