Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PACL Issue

Experts,

I'm configuring a PACL on my L2 Switch to block a user. Both of us reside on the same L2 Switch and the same VLAN. On the Switch, I conifgured this statment globally on the Switch:

mac access-list extended Deny

deny   host xxxx.xxxx.xxxx any

Under my interface, I configured this statement:

mac access-group Deny in

After I did this, my computer experienced severe connectivity issues. So, I added a permit any any statement below the deny statement. Still, severe connectivity issues. I followed the configuration guide.

Did I miss anything? I assume the ACL logic is correct.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

PACL Issue

Thomas

Unfortunately the 3560 only supports PACLs in the inbound direction so you can't do what you want using these type of acls.

You could instead use a VACL which allows your filter traffic within the same vlan. See this link for details -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swacl.html#wp1599661

Jon

5 REPLIES
Hall of Fame Super Blue

PACL Issue

Thomas

I may not be understanding but your line denies all traffic from that mac address so i would expect you wouldn't be able to connect to anything ie. -

deny   host xxxx.xxxx.xxxx any

assuming xxxx.xxxx.xxxx is the hosts mac address you are denying all traffic to any destination.

Adding a permit line will do nothing as it will never be matched.

Jon

New Member

PACL Issue

Jon,

I may have my ACL logic wrong, but the xxxx.xxxx.xxxx is the host MAC I'm trying to deny from reaching my computer.

Hall of Fame Super Blue

PACL Issue

Thomas

The acl would need to applied in the outbound direction for that acl to work.  That said, it depends on the switch you are using as some switches have the restriction wiith PACLs that they can only be applied in the inbound direction.

Which switch are you using ?

Jon

New Member

PACL Issue

WS-C3560G-48PS-S; Version 12.2(44)SE5

Hall of Fame Super Blue

PACL Issue

Thomas

Unfortunately the 3560 only supports PACLs in the inbound direction so you can't do what you want using these type of acls.

You could instead use a VACL which allows your filter traffic within the same vlan. See this link for details -

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/swacl.html#wp1599661

Jon

120
Views
0
Helpful
5
Replies
CreatePlease login to create content