Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Why is DHCP still able to work after MAC ACL

121 MAC_ACL.gif

These are the commands what I entered on Cisco 3560

c3560#configure terminal

c3560(config)#mac access-list extended MAC_ACL

c3560(config-ext-macl)#permit host 1111.1111.1111 any

c3560(config-ext-macl)#permit host 2222.2222.2222 any

c3560(config-ext-macl)#permit host 3333.3333.3333 any

c3560(config-ext-macl)#permit host ......


c3560(config)#interface FastEthernet0/2 - 24 (FastEthernet0/1 is the uplink port)

c3560(config-if-range)#mac access-group MAC_ACL in

  • I did not permit host 0811.96ec.4cf0 on Cisco 3560
  • But Test PC did obtain an IP address from DHCP server
  • Test PC was not able to ping or other computers though it obtained an IP address

In my understanding, Test PC should have not been able to communicate with any others that are connected to other ports of Cisco 3560 with any protocals, including DHCP Discover/Offer/Reuqest/ACK. Because I think Cisco 3560 should have dropped any inbound frames on port 2-24 if there were no MAC ACL entries to match the source MAC address of the inbound frames.

CreatePlease to create content