Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAC Access-List

Hello friends, I write these lines because an issue with mac acl. I have a Cisco 6513 and I want to configure a simple mac acl to permit the traffic between a virtual machine (VM) and a rackeable server (RS) and block the traffic between my network and RS. So, this is the parameters:

VM: connected to Cisco 6513 in 4/15 - mac add a.b.c.d - ip add

RS: connected to Cisco 6513 in 6/48 - mac add w.x.y.z - ip add

My Computer: connected to an access switch - mac j.k.l.m - ip add

Then, I configure this:

6513(config)#mac access-list extended Test

6513(config-ext-macl)#permit host a.b.c.d host w.x.y.z

6513(config-ext-macl)#deny any any

6513(config)#int Gi6/48

6513(config-if)#mac access-group Test in

Once the configuration was finished, I tried to ping from my computer and got replies! Well, I though it was because the equipments were in differents modules, and I changed the RS from 6/48 to 4/38, but my acl didn't work.

Any ideas of what can I do? or maybe my acl is incorrect, or I migh use something special on Cisco 6513 in order to make the acl work.

Thanks a lot for your answers!

P.D.: I must said that I tried the same scenario on my test access switch (Cisco 3560) and the acl work perfectly


MAC Access-List


I wonder how you made it work on the 3560 because MAC ACL can only filter some non-IPv4 traffic but not IPv4 traffic.



Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
New Member

MAC Access-List

Uhm..well actually that's a good question, haha

When I add the mac acl on the interface where the RS is installed (on the 3560) I can't ping the RS from the network, just from the VM. In the other hand, when I put "no mac access-list" on the interface, the ping work perfectly from the network (and, of course, from the VM).

There's not other acl on the 3560 or some like that, I assume this happens because the mac acl views the bytes from ethernet and takes the mac when des-encapsulates the packet, that's why doesn't matter what kind of IP packet I send, I've never been able to reach RS beacuse of the mac acl.

How I said, it's the same scenario but in access layer

CreatePlease login to create content