Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MAC Extended ACL

I have HSRP running in my core between 2 routers and a switch connected to both.  From my switch, I have VLANs going to end switches.  I am seeing the HSPR broadcast going out all ports (as it should).  I want to deny this traffic from going out to the end point switches.

I have configured a MAC Extended ACL and applied it to the ports; I say ports as first I applied at the core switch and still saw the MAC at the end switch, then I applied to the end switch and still see the MAC.  What an I doing wrong?  Am I missing something?

Any help would be greatly appriecated!

Tracey

Configs:                  

SwitcVLAN12   

mac access-list extended Limit-HSRP

deny   host 0000.0c07.ac0a any

permit any any

interface GigabitEthernet0/1

switchport mode trunk

mac access-group Limit-HSRP in

SwitchVlan12#sh mac address-table

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

  50    0000.0c07.ac32    DYNAMIC     Gi0/1

  50    70ca.9b15.bfda    DYNAMIC     Gi0/1

  50    a44c.112f.3503    DYNAMIC     Gi0/1

  10    0000.0c07.ac0a    DYNAMIC     Gi0/1

  10    70ca.9b15.bfda    DYNAMIC     Gi0/1

  11    0000.0c07.ac0b    DYNAMIC     Gi0/1

  11    70ca.9b15.bfda    DYNAMIC     Gi0/1

  12    0000.0c07.ac00    DYNAMIC     Gi0/1

  12    70ca.9b15.bfda    DYNAMIC     Gi0/1

  13    0000.0c07.ac0d    DYNAMIC     Gi0/1

  13    70ca.9b15.bfda    DYNAMIC     Gi0/1

Switch1

mac access-list extended Limit-HSRP

deny   host 0000.0c07.ac0a any

permit any any

interface GigabitEthernet1/0/3

description connection to GCSSwVlan12

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 10-31,50,80,100,200

switchport mode trunk

mac access-group Limit-HSRP in

Sw1#sh mac address-table

          Mac Address Table

-------------------------------------------

Vlan    Mac Address       Type        Ports

----    -----------       --------    -----

  10    0000.0c07.ac0a    DYNAMIC     Gi1/0/23

  10    68bc.0cba.6909    DYNAMIC     Gi1/0/3

  10    70ca.9b15.bfda    DYNAMIC     Gi1/0/24

  11    0000.0c07.ac0b    DYNAMIC     Gi1/0/23

  11    68bc.0cba.6909    DYNAMIC     Gi1/0/3

  11    70ca.9b15.bfda    DYNAMIC     Gi1/0/24

  12    0000.0c07.ac00    DYNAMIC     Gi1/0/23

  12    68bc.0cba.6909    DYNAMIC     Gi1/0/3

  12    70ca.9b15.bfda    DYNAMIC     Gi1/0/24

  13    0000.0c07.ac0d    DYNAMIC     Gi1/0/23

  13    68bc.0cba.6909    DYNAMIC     Gi1/0/3

  13    70ca.9b15.bfda    DYNAMIC     Gi1/0/24

Everyone's tags (2)
1 REPLY
New Member

MAC Extended ACL

I made the following changes and still get the same results!  What am I doing wrong????


Switch1
mac access-list extended Limit-HSRP
deny   any host 0000.0c07.ac0a
permit any any

interface GigabitEthernet1/0/3
description connection to GCSSwVlan12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10-31,50,80,100,200
switchport mode trunk
mac access-group Limit-HSRP in

          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0000.0c07.ac0a    DYNAMIC     Gi1/0/23
Total Mac Addresses for this criterion: 1

SwitchVALN12
mac access-list extended Limit-HSRP
deny   any host 0000.0c07.ac0a
permit any any

interface GigabitEthernet0/1
switchport mode trunk
mac access-group Limit-HSRP in

          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
  10    0000.0c07.ac0a    DYNAMIC     Gi0/1
Total Mac Addresses for this criterion: 1

463
Views
0
Helpful
1
Replies