Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAC extended ACL doesn't work properly

I try to enable traffic of a selected hosts via L2 port on catalyst 3550-24

and filter all other traffic. Next configuration was created:

mac access-list extended mac-port-0/3

permit host 0003.e48a.2c00 host 00c0.df10.825f

permit host 00c0.df10.825f host 0003.e48a.2c00

interface FastEthernet0/3

switchport access vlan 8

switchport mode access

no ip address

duplex full

speed 100

mac access-group mac-port-0/3 in

where 00c0.df10.825f is a MAC-address of my computer's NIC and

0003.e48a.2c00 is one of the default gateway (if I replace it with 'any' keyword

the result is the same).

When I apply this configuration to Catalyst it stops any traffic via fas0/3.

switch# sh access-lists hard count

Input Drops: 118 matches (7795 bytes)

Output Drops: 0 matches (0 bytes)

Input Forwarded: 90212 matches (34869496 bytes)

Output Forwarded: 0 matches (0 bytes)

Input Bridge Only: 0 matches (0 bytes)

Bridge and Route in CPU: 0 matches (0 bytes)

Route in CPU: 8491 matches (546918 bytes)

New Member

Re: MAC extended ACL doesn't work properly

You must use switchport port-security mac-address command to limit access to specific workstations.

Check this URL for more details

New Member

Re: MAC extended ACL doesn't work properly

Yes, I know about 'switchport port-security' command, but it allows only 128 secured (static) MAC-addresses per device (not per port as writen in documentation !!!). I need significant more MAC-addresses !

CreatePlease login to create content