cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
476
Views
0
Helpful
5
Replies

PACL Issue

Thomas Yarger
Level 1
Level 1

Experts,

I'm configuring a PACL on my L2 Switch to block a user. Both of us reside on the same L2 Switch and the same VLAN. On the Switch, I conifgured this statment globally on the Switch:

mac access-list extended Deny

deny   host xxxx.xxxx.xxxx any

Under my interface, I configured this statement:

mac access-group Deny in

After I did this, my computer experienced severe connectivity issues. So, I added a permit any any statement below the deny statement. Still, severe connectivity issues. I followed the configuration guide.

Did I miss anything? I assume the ACL logic is correct.

1 Accepted Solution

Accepted Solutions

Thomas

Unfortunately the 3560 only supports PACLs in the inbound direction so you can't do what you want using these type of acls.

You could instead use a VACL which allows your filter traffic within the same vlan. See this link for details -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swacl.html#wp1599661

Jon

View solution in original post

5 Replies 5

Jon Marshall
Hall of Fame
Hall of Fame

Thomas

I may not be understanding but your line denies all traffic from that mac address so i would expect you wouldn't be able to connect to anything ie. -

deny   host xxxx.xxxx.xxxx any

assuming xxxx.xxxx.xxxx is the hosts mac address you are denying all traffic to any destination.

Adding a permit line will do nothing as it will never be matched.

Jon

Jon,

I may have my ACL logic wrong, but the xxxx.xxxx.xxxx is the host MAC I'm trying to deny from reaching my computer.

Thomas

The acl would need to applied in the outbound direction for that acl to work.  That said, it depends on the switch you are using as some switches have the restriction wiith PACLs that they can only be applied in the inbound direction.

Which switch are you using ?

Jon

WS-C3560G-48PS-S; Version 12.2(44)SE5

Thomas

Unfortunately the 3560 only supports PACLs in the inbound direction so you can't do what you want using these type of acls.

You could instead use a VACL which allows your filter traffic within the same vlan. See this link for details -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swacl.html#wp1599661

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco