Cisco Support Community
Community Member

MAC ACL match in VACL -3560G

      Hello gang.. Im trying to filter traffic using a vacl that has a mac access-list used as the definition.  We have some some traffic being sourced from 00:00:00:00:00:00 that I need to block. 

mac access-list extended ALLPERMITL2

permit any any

mac access-list extended BADL2

permit host 0000.0000.0000 any

vlan access-map L2MAP 20

match mac address BADL2

action drop

vlan access-map L2MAP 30

match mac address ALLPERMITL2

action forward

vlan filter L2MAP vlan-list 61

My concern is I dont think I am implmenting this correcting because I do the following:

#show vlan access-log statistics

VACL Logging Statistics:

        total packets          0

        logged                 0

        dropped                0

        buffered               0

Dropped Packets Statistics:

        no packet buffer       0

        hash queue full        0

        flow table full        0

Misc Information:

        free packet buffers    :8192

        log messages sent     0

        flow table size        0

and dont see anythin incrementing.  I would think that I would at least see something in "total packets" for stuff that is getting allowed through?

Everyone's tags (2)
Hall of Fame Super Blue

MAC ACL match in VACL -3560G


Not all platforms display the actual statistics for that command so i wouldn't assume it is not working. It's a bit like when you implement PBR for example on a hardware switch and the acl counters don't increment so the only way of knowing whether it is actually working is to do a traceroute to see the path it takes.

I'm not definitely saying your platform doesn't display it but is there a way you can test it, perhaps temporarily dropping your own mac address in the mac address acl to see if -

1) it actually is working


2) whether you see any increase in the counters


Community Member

MAC ACL match in VACL -3560G

There must be something wrong with my logic above.  I replaced the black acl with a known mac of a device and I can still pass traffic to it all day.    I would at least think that if I did a show access-list that I would be able to see hits for my any any.

Perhaps mac acl in combo with vacl just isnt supported on these lower switches?

Hall of Fame Super Blue

MAC ACL match in VACL -3560G


My apologies, it's late here and it's been a long day. The 3560 as well as a few other switches (2960, 3750)  only support filtering on mac addresses in VACLs for non IPv4 traffic.

So you won't be able to test by just blocking your mac address and then trying to ping for example because it won't block that.

But it should block arp packets. So if you reboot your laptop then it should have to arp out for it's default gateway and that should be blocked.


Community Member

Re: MAC ACL match in VACL -3560G

Thanks for reply. I will give it a try and see how far I get. That is very frustrating because all settings and commands in cli help make it seem that this is possible. Do you know any documentation or links that discuss these limitations further?

Sent from Cisco Technical Support iPhone App

MAC ACL match in VACL -3560G

From the Cisco configuration guide:

Creating Named MAC Extended ACLs

You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.

Note You cannot apply named MAC extended ACLs to Layer 3 interfaces.

For more information about the supported non-IP protocols in the mac access-list extended command, see the command reference for this release.

Some more information here:

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
CreatePlease to create content