• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 318
  • Last Modified:

MAC Filtering

Hi Experts,

I hope you can help me with this. Im trying to set up MAC filtering on a powerconnect 5448
However when i apply my ACL to the port it blocks all traffic even from the device, who's mac should be allowed

As a result im guessing i've configured something wrong so hopefully someone can spot the mistake

Here is my understanding of the fields

Priority - Self explanatory
Action - Self explanatory
Source MAC - MAC of machine or device in question
MAC Wild Card Mask - 00:00:00:00:00:00 for a explicit mac address
VLAN - vlan of port and device
Ethertype - should be 0x0800 for all traffic?

The only one im uncertain on is the ethertype
0
James Glen
Asked:
James Glen
Advertise Here
  • 3
  • 3
  • 2
2 Solutions
 
Craig BeckCommented:
Try Ethertype 0x0806 instead.  You're filtering by MAC, not IPv4.
0
 
MiftaulCommented:
Ethernet II frame's "Type" field tells the OS what kind of data the frame carries

0x0800 means that the contents of the frame is an IPv4 packet
0
 
James GlenIT EngineerAuthor Commented:
Hi Guys,

I tried 0x0806 and 0x0800. Still no luck? Any other ideas what could be causing the issue?
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

Register Today!
 
MiftaulCommented:
Can you please run and give us the output,

console# show mac access-lists
console# show mac access-lists YOUR-ACL-NAME

Here is the example configuration:

console(config)#mac access-list extended ALLOW
console(config-mac-access-list)#Permit 3C97.0E86.9F42 0000.0000.0000 any
console(config-mac-access-list)#Deny any any

Then we apply on that specific interface
console(config)#mac access-group ALLOW in
0
 
James GlenIT EngineerAuthor Commented:
SWI..DP108# show access-lists
MAC access list SJones
    permit  host b8:ca:3a:73:d6:24 any vlan 1 ethtype 0806
SWI..DP108# show access-lists
MAC access list SJones
    permit  host b8:ca:3a:73:d6:24 any vlan 1 ethtype 0806

SWI..DP108# show access-lists SJones
MAC access list SJones
    permit  host b8:ca:3a:73:d6:24 any vlan 1 ethtype 0806
0
 
Craig BeckCommented:
This is for a 6024, but might work on the 5448...

mac access-list ALLOW_PCS
 permit aa:bb:cc:dd:ee:ff 00:00:00:00:00:00 any vlan 1
 permit 00:11:22:33:44:55 00:00:00:00:00:00 any vlan 1
!
interface e1
 service-acl input ALLOW_PCS
interface e2
 service-acl input ALLOW_PCS

Open in new window

Replace the MAC addresses with real ones, and change the VLAN to whichever destination VLAN you want to allow that MAC to access.
0
 
MiftaulCommented:
EtherType 0806 seems to be for Address Resolution Protocol (ARP)

Can you please remote "ethtype 0806" from the ACE.

Also please apply the ACL inbound to the interface.
0
 
James GlenIT EngineerAuthor Commented:
That did it! :) Turns out no ethertype needed to be provided

Cheers lads and Merry Xmas to you both
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Access It Now
  • 3
  • 3
  • 2
Advertise Here
Tackle projects and never again get stuck behind a technical roadblock.
Join Now