Thanks for the help!
And, I will let you know the results of the testing.
Chris
On Thu, Sep 9, 2010 at 11:57 PM, Garth Bryden <
hacked.the.planet.on.28.8k.dialup_at_gmail.com> wrote:
> I agreee with Kubilay.
>
> MAC ACL's will only affect non-ip traffic :-)
>
> On Fri, Sep 10, 2010 at 12:45 PM, Kubilay Akgul <kubilayakgul_at_gmail.com>wrote:
>
>> Hi Chris,
>>
>> As far as I remember, MAC access-lists are only used to filter non-IP
>> traffic like ARP.
>> In your example, when you shut the interface, routers will clear their ARP
>> tables. And when you enable it again and try to create traffic, the MAC
>> access list will block all new ARP requests. So you thought that your ACL
>> worked after a shut/no-shut.
>> But, actually it only blocked the ARP packets. To test it, after shut and
>> no-shut, create manual ARP entries on routers. They probably start to
>> communicate again and you will see that your MAC filter is not working for
>> IP traffic. :)
>>
>> Another way of testing can be clearing ARP tables on routers without a
>> shut/no shut operation. Since MAC ACL will again block the ARP request,
>> your
>> ACL will again seem to be working (but just because it blocked arps).
>>
>> Please share your result to see if I am right.
>>
>> Thanks.
>>
>>
>>
>> -----Original Message-----
>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>> Chris Grammer
>> Sent: Thursday, September 09, 2010 14:50
>> To: Cisco certification
>> Subject: MAC Filter 3560
>>
>> I have run into an interesting issue.
>>
>> If I create a MAC filter such as:
>>
>> mac access-list extended BLOCK3
>> deny host 0012.d993.d5c2 any
>> permit any any
>>
>> I apply the access-list to the fa1/0/1 interface of the switch:
>>
>> interface FastEthernet1/0/1
>> switchport access vlan 40
>> switchport mode access
>> mac access-group BLOCK3 in
>>
>>
>> The problem is, the access list will not block the MAC address unless I
>> shut/no shut the interface.
>> If I apply the MAC access-list to a vlan access-map it exhibits the same
>> behavior.
>> If I apply an IP access list to the interface or access-map, the change is
>> immediate.
>>
>> Is this normal behavior for a layer 2 access-list on a switch?
>>
>> Thanks,
>>
>> Chris
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 10 2010 - 00:57:12 ART
This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART