Wasn't your initial question as to why you had to shut / no shut an interface to get a mac ACL to work and was this normal behavior?
I sorta disagree that a mac ACL doesn't work on IPv4 traffic (With all things being default)... In order to get to layer 3, you need to first get through layer 2 right?
On Sep 10, 2010, at 11:19 AM, Chris Grammer wrote:
> Here is the Test:
>
> R1 ---- SW1 ---- R2
>
> R1 on port f1/0/1
> R2 on port f1/0/2
>
> SW1 Config:
>
> mac access-list extended BLOCK_F1/0/1
> deny any any
>
> interface FastEthernet1/0/1
> switchport access vlan 40
> switchport mode access
> mac access-group BLOCK_F1/0/1 in
>
> -----------------------------------------
>
>
> The Ping between R1 and R2 were successful prior to applying the mac
> access-list.
> I applied the access-list and shut/no shut the interface.
> Pings from R1 to R2 are failing.
>
> The arp table on R1 after the failed ping:
> Internet 1.1.123.2 0 Incomplete ARPA
>
> Statically map the ARP on R1:
> R1(config)#arp 1.1.123.2 000b.be6d.6f00 arpa
>
> R1#ping 1.1.123.2
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 1.1.123.2, timeout is 2 seconds:
> !!!!!
> Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
> R1#
>
> So indeed, MAC-access list does NOT work on IPv4 traffic, except to block
> the initial ARP.
> Kubilay is correct.
>
>
> I did the same test scenerio except I used a vlan access-map:
>
> mac access-list extended PERMIT_ALL_MACS
> permit any any
>
> vlan access-map VLAN40_MAP 10
> action drop
> match mac address PERMIT_ALL_MACS
> vlan access-map VLAN40_MAP 20
> action forward
>
> vlan filter VLAN40_MAP vlan-list 40
>
> The result was the same.
> Initially the ping will not work.
> The arp table shows an incomplete arp.
> Statically map the ARP...on both routers this time
> Ping is successfuly after statically mapping arps.
>
>
> Chris
>
>
>
>
>
>
>
>
>
>
> On Fri, Sep 10, 2010 at 7:14 AM, Adrian Brayton <abrayton_at_gmail.com> wrote:
>
>> When it comes to VLAN access-maps, they should accomplish what you are
>> trying to do when you apply them. Its when you make changes, you HAVE to
>> remove and reapply them.
>>
>> Its default behavior.
>>
>>
>> On Sep 10, 2010, at 1:57 AM, Chris Grammer wrote:
>>
>>> Thanks for the help!
>>> And, I will let you know the results of the testing.
>>>
>>> Chris
>>>
>>> On Thu, Sep 9, 2010 at 11:57 PM, Garth Bryden <
>>> hacked.the.planet.on.28.8k.dialup_at_gmail.com> wrote:
>>>
>>>> I agreee with Kubilay.
>>>>
>>>> MAC ACL's will only affect non-ip traffic :-)
>>>>
>>>> On Fri, Sep 10, 2010 at 12:45 PM, Kubilay Akgul <kubilayakgul_at_gmail.com
>>> wrote:
>>>>
>>>>> Hi Chris,
>>>>>
>>>>> As far as I remember, MAC access-lists are only used to filter non-IP
>>>>> traffic like ARP.
>>>>> In your example, when you shut the interface, routers will clear their
>> ARP
>>>>> tables. And when you enable it again and try to create traffic, the MAC
>>>>> access list will block all new ARP requests. So you thought that your
>> ACL
>>>>> worked after a shut/no-shut.
>>>>> But, actually it only blocked the ARP packets. To test it, after shut
>> and
>>>>> no-shut, create manual ARP entries on routers. They probably start to
>>>>> communicate again and you will see that your MAC filter is not working
>> for
>>>>> IP traffic. :)
>>>>>
>>>>> Another way of testing can be clearing ARP tables on routers without a
>>>>> shut/no shut operation. Since MAC ACL will again block the ARP request,
>>>>> your
>>>>> ACL will again seem to be working (but just because it blocked arps).
>>>>>
>>>>> Please share your result to see if I am right.
>>>>>
>>>>> Thanks.
>>>>>
>>>>>
>>>>>
>>>>> -----Original Message-----
>>>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf
>> Of
>>>>> Chris Grammer
>>>>> Sent: Thursday, September 09, 2010 14:50
>>>>> To: Cisco certification
>>>>> Subject: MAC Filter 3560
>>>>>
>>>>> I have run into an interesting issue.
>>>>>
>>>>> If I create a MAC filter such as:
>>>>>
>>>>> mac access-list extended BLOCK3
>>>>> deny host 0012.d993.d5c2 any
>>>>> permit any any
>>>>>
>>>>> I apply the access-list to the fa1/0/1 interface of the switch:
>>>>>
>>>>> interface FastEthernet1/0/1
>>>>> switchport access vlan 40
>>>>> switchport mode access
>>>>> mac access-group BLOCK3 in
>>>>>
>>>>>
>>>>> The problem is, the access list will not block the MAC address unless I
>>>>> shut/no shut the interface.
>>>>> If I apply the MAC access-list to a vlan access-map it exhibits the
>> same
>>>>> behavior.
>>>>> If I apply an IP access list to the interface or access-map, the change
>> is
>>>>> immediate.
>>>>>
>>>>> Is this normal behavior for a layer 2 access-list on a switch?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Chris
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>
>>>>> Blogs and organic groups at http://www.ccie.net
>>>>>
>>>>> _______________________________________________________________________
>>>>> Subscription information may be found at:
>>>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 10 2010 - 11:37:41 ART
This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART