MAC extended ACL doesn't work properly

aaanet · ‎10-16-2002

I try to enable traffic of a selected hosts via L2 port on catalyst 3550-24

and filter all other traffic. Next configuration was created:

mac access-list extended mac-port-0/3

permit host 0003.e48a.2c00 host 00c0.df10.825f

permit host 00c0.df10.825f host 0003.e48a.2c00

interface FastEthernet0/3

switchport access vlan 8

switchport mode access

no ip address

duplex full

speed 100

mac access-group mac-port-0/3 in

where 00c0.df10.825f is a MAC-address of my computer's NIC and

0003.e48a.2c00 is one of the default gateway (if I replace it with 'any' keyword

the result is the same).

When I apply this configuration to Catalyst it stops any traffic via fas0/3.

switch# sh access-lists hard count

Input Drops: 118 matches (7795 bytes)

Output Drops: 0 matches (0 bytes)

Input Forwarded: 90212 matches (34869496 bytes)

Output Forwarded: 0 matches (0 bytes)

Input Bridge Only: 0 matches (0 bytes)

Bridge and Route in CPU: 0 matches (0 bytes)

Route in CPU: 8491 matches (546918 bytes)

m.singer · ‎10-22-2002

You must use switchport port-security mac-address command to limit access to specific workstations.

Check this URL for more details http://www.cisco.com/en/US/customer/products/hw/switches/ps646/products_configuration_guide_chapter09186a008007f37c.html#xtocid13

aaanet · ‎10-22-2002

Yes, I know about 'switchport port-security' command, but it allows only 128 secured (static) MAC-addresses per device (not per port as writen in documentation !!!). I need significant more MAC-addresses !