RE: MAC Filter 3560

Hi Chris,

As far as I remember, MAC access-lists are only used to filter non-IP
traffic like ARP.
In your example, when you shut the interface, routers will clear their ARP
tables. And when you enable it again and try to create traffic, the MAC
access list will block all new ARP requests. So you thought that your ACL
worked after a shut/no-shut.
But, actually it only blocked the ARP packets. To test it, after shut and
no-shut, create manual ARP entries on routers. They probably start to
communicate again and you will see that your MAC filter is not working for
IP traffic. :)

Another way of testing can be clearing ARP tables on routers without a
shut/no shut operation. Since MAC ACL will again block the ARP request, your
ACL will again seem to be working (but just because it blocked arps).

Please share your result to see if I am right.

Thanks.

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
Chris Grammer
Sent: Thursday, September 09, 2010 14:50
To: Cisco certification
Subject: MAC Filter 3560

I have run into an interesting issue.

If I create a MAC filter such as:

mac access-list extended BLOCK3
 deny host 0012.d993.d5c2 any
 permit any any

I apply the access-list to the fa1/0/1 interface of the switch:

interface FastEthernet1/0/1
 switchport access vlan 40
 switchport mode access
 mac access-group BLOCK3 in

The problem is, the access list will not block the MAC address unless I
shut/no shut the interface.
If I apply the MAC access-list to a vlan access-map it exhibits the same
behavior.
If I apply an IP access list to the interface or access-map, the change is
immediate.

Is this normal behavior for a layer 2 access-list on a switch?

Thanks,

Chris

Blogs and organic groups at http://www.ccie.net
Received on Thu Sep 09 2010 - 23:45:59 ART