Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
734
Views
0
Helpful
1
Replies

MAC ACL doesn't work on 4507

rzotz
Level 1
Level 1

‎04-29-2008 01:21 PM - edited ‎03-05-2019 10:41 PM

Greetings, all. I am attempting to spin a special QoS configuration in our 4507's for a non-Cisco IP phone, specifically the Aspect TeleSet3. They work well, but...

This phone has a PC port and does 802.1q tagging, but naturally does not use CDP, so the trusted boundary functions provided by "qos trust device cisco-phone" will not apply. The Aspect phones must coexist with Cisco phones on the same switch and VLAN, so I have decided to attack this at the port level.

My idea? By applying a policy map with a MAC ACL on the switch port, the MAC from the phone will be matched and its packets trusted, while MAC from the PC will not be matched, and its packets marked down to 0.

The problem? The MAC ACL doesn't match packets, even when the permit statement has a full host MAC address. Sniffer captures, "show policy-map", and "show access-list" confirm this. The service policy works, however, because all the packets are marked down to 0.

Here's a config extract:

!----------------------------------------

!

mac access-list extended QOS-ASPECT

permit 0090.f300.0000 0000.00ff.ffff any

!

class-map match-any QOS-ASPECT

match access-group name QOS-ASPECT

!

policy-map QOS-ASPECT

description : ASPECT INPUT POLICY

class QOS-ASPECT

trust cos

class-default

set dscp default

!

!----------------------------------------

!

policy-map QOS-ACCESS

description : ACCESS OUTPUT POLICY

class class-default

dbl

!

!----------------------------------------

!

interface [slot/port]

description : ACCESS PORT

switchport mode access

switchport access vlan [data_VLAN]

switchport voice vlan [voice_VLAN]

qos trust cos

tx-queue 3

priority high

shape percent 33

service-policy output QOS-ACCESS

service-policy input QOS-ASPECT

!

!----------------------------------------

Ideas? Call TAC? (ARGH).

Thanks,

Rick -Z-

Labels:
0 Helpful
1 Reply 1

tstanik
Level 5
Level 5

‎05-06-2008 05:36 AM

You can filter non-IP traffic on a physical Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs. But, Named MAC extended ACLs cannot be applied to Layer 3 interfaces.For more information about the supported non-IP protocols in the mac access-list extended command, refer to the command reference for this release.

Refer the below URL for the ACL on 4500 series :

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/secure.html

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card