Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

mac acl

Dear all,

I'm encompassed with doubt.

There are 2 switches, 3550 is a layer 2 switch, 3560 is a layer 3 switch, PC-1 and PC-2 are connected with 3550.

When I applied a MAC ACL on f0/28 of 3550, which is connected with PC-1. I found it didn't work.

mac access-list extended test

deny host abcd.abcd.abcd host 1234.1234.1234

permit any any

PC-1: abcd.abcd.abcd

PC-2: 1234.1234.1234

I pinged PC-2 from PC-1, and PC-2 replied.

But, when I cleared the ARP entry of PC-2 at 3560, then the ping process was interrupted. It seemed MAC ACL got to work.

Why this happened? Please help me.

Thanks.

Wandering

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: mac acl

Hello Wandering,

The reason is that on Catalyst 3550 series switches, the MAC ACL applies only to non-IP traffic. While I cannot fully explain what happened to your network as you are stating that you have cleared the ARP entry on the 3560 switch which appears somewhat strange to me, my first hint is that the MAC ACL did not prevent the IP packets from flowing through the port fa0/28 on your 3550. However, it did prevent non-IP traffic, such as ARP communication, from passing through that port. I suspect that in the meantime, while you were doing other experiments, the MAC address of PC1 has simply expired on PC2 from its ARP cache. After the PC2 sent the ARP Request, the PC1 tried to answer by sending the ARP Response but the MAC ACL blocked it. That is why the PCs could not communicate - not because all frames were dropped from PC1 but rather because the PC2 was unable to resolve the PC1's MAC address.

Note that on different Catalyst platforms, the MAC ACLs behave differently. On 2950, for example, they apply to any traffic. The 3550 uses MAC ACLs to filter only non-IP traffic. On 2960 and 3560, the manual also says that they apply only to non-IP traffic but they also allow you to specify the EtherType. I do not know right now what would happen if you had a MAC ACL in place that would match on the Ethertype 0x0800 (the IP).

Perhaps this helps a bit. In doubt, refer to the Command Reference for your particular IOS version.

Best regards,

Peter

Cisco Employee

Re: mac acl

Hello Wandering,

You are welcome. In my opinion, clearing the ARP cache on the core switch did not affect anything in your case. It probably just coincided with the flushing of ARP cache on PC2 - they just happened to occur simultaneously. Give it another try :)

Best regards,

Peter

4 REPLIES
Cisco Employee

Re: mac acl

Hello Wandering,

The reason is that on Catalyst 3550 series switches, the MAC ACL applies only to non-IP traffic. While I cannot fully explain what happened to your network as you are stating that you have cleared the ARP entry on the 3560 switch which appears somewhat strange to me, my first hint is that the MAC ACL did not prevent the IP packets from flowing through the port fa0/28 on your 3550. However, it did prevent non-IP traffic, such as ARP communication, from passing through that port. I suspect that in the meantime, while you were doing other experiments, the MAC address of PC1 has simply expired on PC2 from its ARP cache. After the PC2 sent the ARP Request, the PC1 tried to answer by sending the ARP Response but the MAC ACL blocked it. That is why the PCs could not communicate - not because all frames were dropped from PC1 but rather because the PC2 was unable to resolve the PC1's MAC address.

Note that on different Catalyst platforms, the MAC ACLs behave differently. On 2950, for example, they apply to any traffic. The 3550 uses MAC ACLs to filter only non-IP traffic. On 2960 and 3560, the manual also says that they apply only to non-IP traffic but they also allow you to specify the EtherType. I do not know right now what would happen if you had a MAC ACL in place that would match on the Ethertype 0x0800 (the IP).

Perhaps this helps a bit. In doubt, refer to the Command Reference for your particular IOS version.

Best regards,

Peter

New Member

Re: mac acl

Hi Peter,

Thank you very much, I totally agree with you.

Yes, the MAC ACL only prevents the ARP traffic, that's enough, although we can configure static arp pair on PCs to skip this setting.

There's still some doubts, such as why clearing ARP on core can affect layer 2 communication, and so on...

Thanks a lot.

Wandering

Cisco Employee

Re: mac acl

Hello Wandering,

You are welcome. In my opinion, clearing the ARP cache on the core switch did not affect anything in your case. It probably just coincided with the flushing of ARP cache on PC2 - they just happened to occur simultaneously. Give it another try :)

Best regards,

Peter

New Member

Re: mac acl

Hi Peter,

You are right. And I cann't replay the issue again.

The MAC ACL gets to work after clearing the ARP cache on PC-2.

Thanks

Wandering

644
Views
0
Helpful
4
Replies