Re: MAC Filter 3560 from Garth Bryden on 2010-09-10 (Ccielab archives 09/2010)

From: Garth Bryden <hacked.the.planet.on.28.8k.dialup_at_gmail.com>
Date: Fri, 10 Sep 2010 12:57:58 +0800

I agreee with Kubilay.

MAC ACL's will only affect non-ip traffic :-)

On Fri, Sep 10, 2010 at 12:45 PM, Kubilay Akgul <kubilayakgul_at_gmail.com>wrote:

> Hi Chris,
>
> As far as I remember, MAC access-lists are only used to filter non-IP
> traffic like ARP.
> In your example, when you shut the interface, routers will clear their ARP
> tables. And when you enable it again and try to create traffic, the MAC
> access list will block all new ARP requests. So you thought that your ACL
> worked after a shut/no-shut.
> But, actually it only blocked the ARP packets. To test it, after shut and
> no-shut, create manual ARP entries on routers. They probably start to
> communicate again and you will see that your MAC filter is not working for
> IP traffic. :)
>
> Another way of testing can be clearing ARP tables on routers without a
> shut/no shut operation. Since MAC ACL will again block the ARP request,
> your
> ACL will again seem to be working (but just because it blocked arps).
>
> Please share your result to see if I am right.
>
> Thanks.
>
>
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Chris Grammer
> Sent: Thursday, September 09, 2010 14:50
> To: Cisco certification
> Subject: MAC Filter 3560
>
> I have run into an interesting issue.
>
> If I create a MAC filter such as:
>
> mac access-list extended BLOCK3
> deny host 0012.d993.d5c2 any
> permit any any
>
> I apply the access-list to the fa1/0/1 interface of the switch:
>
> interface FastEthernet1/0/1
> switchport access vlan 40
> switchport mode access
> mac access-group BLOCK3 in
>
>
> The problem is, the access list will not block the MAC address unless I
> shut/no shut the interface.
> If I apply the MAC access-list to a vlan access-map it exhibits the same
> behavior.
> If I apply an IP access list to the interface or access-map, the change is
> immediate.
>
> Is this normal behavior for a layer 2 access-list on a switch?
>
> Thanks,
>
> Chris
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 10 2010 - 12:57:58 ART

This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART