Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Mac address access-lists filtering on Cisco 6500


I have a real problem understanding how mac address access-lists are working on a Cisco 6500. On lower end platforms (3560, 3550), I can have something like:


mac access-list extended STOPME

deny host 0000.1111.2222 any

permit any any


interface fa0/1

switchport mode access

switchport access vlan xx

mac access-group STOPME in

Then whatever connect to the port Fa0/1 with the mac 0000.1111.2222 cannot connect anywhere as traffic is filtered at L2.

I would expect that this stuff works on Cisco 65k, but it seems not. Cisco announce the mac filtering in so called PACL (Port ACL), on starting with IOS 12.2 SX and there is some documentation here:

how to configure PACL with mac acccess-lists, but then they state the following:

A MAC access list filters ingress packets that are of an unsupported type (not IP, IPv6, ARP, or MPLS packets) based on the fields of the Ethernet datagram. A MAC access list is not applied to IP, IPv6, MPLS, or ARP messages. You can define only named MAC access lists

From this phrase I understand that mac access-list filtering on L2 ports in C6500 is not working for, let's say, well-known traffic.

I believe it's not working as we know it from 3560, 3550 (configured as L2/L3 switches) due to the ways packets are processed by SP / RP on 65k.

I know that I can do mac filtering with VACL, but that's not what I want to discuss here

Any of you found any utility to mac access-lists filtering on C6500? How or for what I suppose to use it on C6500?

Please let me know if I have misunderstood something after reading the above posted document and if indeed mac access-list is working on C6500 (to filer all traffic including IP).


Everyone's tags (6)

Mac address access-lists filtering on Cisco 6500

Hi, I was planning to use this feature in a new design, not actually tried it yet though. However I looked up Protocol Independent MAC ACL filtering on the Cisco feature navigator, I need it for a 6500 with sup720 running 12.2.33, apparently its supported in SXJ ipbase.

This is the description of the feature:

Protocol-independent MAC ACL filtering applies MAC ACLs to all ingress  traffic types (for example, IPv4 traffic, IPv6 traffic, and MPLS traffic, in  addition to MAC-layer traffic). I think this is the same feature you are talking about.


CreatePlease to create content