Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Why is DHCP still able to work after MAC ACL

121 MAC_ACL.gif

These are the commands what I entered on Cisco 3560

c3560#configure terminal

c3560(config)#mac access-list extended MAC_ACL

c3560(config-ext-macl)#permit host 1111.1111.1111 any

c3560(config-ext-macl)#permit host 2222.2222.2222 any

c3560(config-ext-macl)#permit host 3333.3333.3333 any

c3560(config-ext-macl)#permit host ......

c3560(config-ext-macl)#exit

c3560(config)#interface FastEthernet0/2 - 24 (FastEthernet0/1 is the uplink port)

c3560(config-if-range)#mac access-group MAC_ACL in

  • I did not permit host 0811.96ec.4cf0 on Cisco 3560
  • But Test PC did obtain an IP address 172.18.11.188 from DHCP server 172.18.10.22
  • Test PC was not able to ping 172.18.10.22 or other computers though it obtained an IP address

In my understanding, Test PC should have not been able to communicate with any others that are connected to other ports of Cisco 3560 with any protocals, including DHCP Discover/Offer/Reuqest/ACK. Because I think Cisco 3560 should have dropped any inbound frames on port 2-24 if there were no MAC ACL entries to match the source MAC address of the inbound frames.

528
Views
0
Helpful
0
Replies
CreatePlease to create content