MAC ACL match in VACL -3560G
Hello gang.. Im trying to filter traffic using a vacl that has a mac access-list used as the definition. We have some some traffic being sourced from 00:00:00:00:00:00 that I need to block.
mac access-list extended ALLPERMITL2
permit any any
mac access-list extended BADL2
permit host 0000.0000.0000 any
vlan access-map L2MAP 20
match mac address BADL2
action drop
vlan access-map L2MAP 30
match mac address ALLPERMITL2
action forward
vlan filter L2MAP vlan-list 61
My concern is I dont think I am implmenting this correcting because I do the following:
#show vlan access-log statistics
VACL Logging Statistics:
total packets 0
logged 0
dropped 0
buffered 0
Dropped Packets Statistics:
no packet buffer 0
hash queue full 0
flow table full 0
Misc Information:
free packet buffers :8192
log messages sent 0
flow table size 0
and dont see anythin incrementing. I would think that I would at least see something in "total packets" for stuff that is getting allowed through?
From the Cisco configuration guide:
Creating Named MAC Extended ACLs
You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs. The procedure is similar to that of configuring other extended named ACLs.
Note You cannot apply named MAC extended ACLs to Layer 3 interfaces.
For more information about the supported non-IP protocols in the mac access-list extended command, see the command reference for this release.
http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/15-0_1_se/configuration/guide/scg3560/swacl.html#wp1289037
Some more information here:
https://supportforums.cisco.com/thread/2082129
Daniel Dib
CCIE #37149
Please rate helpful posts.
Similar Messages
-
Hi,
I want to block a PC (MAC address) from accessing a Router (Network) in a simple network as follows-
So, I applied MAC ACL to fa2/1 interface of switch.
Switch(config)#mac access-lists extended test1
#deny host <mac of PC> any
#permit any any
#exit
#int fa2/1
#mac access-group test1 in
But, still PC is able to ping Router. It seems that MAC ACL is not working here.
Pls, let me know what's wrong here.
Thanks,
SubrataGo to ~/Library/Preferences
Move the com.apple.Dictionary.plist file from the Preferences folder to the Desktop.
Try opening the Dictionary app. If you don't see that dialog, move that .plist file to the Trash. Otherwise move it back to the Preferences folder.
If that didn't help, see if there's any software updates available. Click your Apple menu top left in your screen. From the drop down menu click Software Update... -
Which methof getmore cpu "NBAR QOS" OR "acl matched" by policymap??
hi
which methof getmore cpu "NBAR QOS" OR "acl matched" by policymap??
assume i made NBAR to match http protocol
and assume i made acl that match port 80 and mtach any ip
which one will get more cpu resources ??
the NBAR
or
acl?
any why ?re
regards -
Mac ACL's and other acl questions
I can't for the life of me get a mac acl to be accepted. I keep getting the
"MIB index is out of range...index must be bigger then 0 and Existing ifindex"
This error message is meaningless to me and gives No clue as to what the real
issue is. I have filled in ALL the ungrayed boxes.
I am running 1.1.2.0 on SF302-08
Can someone post a screenshot or provide fields of a mac acl that was actually
excepted ?? I need to figure out what i'm doing wrong.
thanks,
walterGot to the bottom of it....Seems that the issue is a an incompatability between the Gui/Firefox and the
switch. If I use Chrome or IE, I can create the mac ace. -
Since I have to use WEP (not really secure) on my network in order to allow some older devices to connect, I have also enabled MAC Address Access Control (also not secure) to at least be able to prove that any unauthorized access is not accidental.
The predecessor to Airport Utility allowed me to save the MAC address list to a file also, but that seems to be a missing feature now. I rummaged in the saved .baseconfig file and saw no hint that the access control list is in there. There isn't even a binary element that's big enough to be hiding it.
Do I have to copy down the MAC ACL manually? And re-enter it manually to restore it?In a word, no.
And contact information and calendar events entered on the iPhone are not included with the iPhone's backup that is created and maintained by iTunes.
Since you are running XP, do you have Outlook Express available?
Syncing with the address book included with OE is supported with XP.
If not and you have a Yahoo account, you can sync contact information with your Yahoo's online address book.
This excludes calendar events, but at least you are halfway there with these options. -
Dear All,
We installed cat3k_caa-universalk9.SPA.03.03.00.SE.150-1.EZ.bin IOS version in our 3650-24TDS.
We configured MAC ACL on each port, We are trying to add 1000+ permit lines for extended MAC ACL, when we are add more than 600 or 650 permit lines we are getting error below.
“Aug 7 05:48:37.732: %ACL_ERRMSG-4-UNLOADED: 1 fed: Input MAC Port ACL on interface Gi1/0/1 for label 4 on asic0 could not be programmed in hardware and traffic will be dropped.”
Kindly requesting help!Hey,
Check the TCAM utilization and sdm template you are using on the box. Share the following outputs:
#show plat tcam utilization
#show sdm prefer
HTH.
Regards,
RS. -
What is the maximum MAC ACL Configuration?
We are to implement MAC ACL on ME3400 with version 12.2. I just want to know what is the maximum permit/deny statements can be configured and what is the impact?
External Resolution
Up to 2560 by 1600 (Thunderbolt) or 1920 by 1200 (HDMI), so, no, it does not support 4k displays. -
Songs downloaded on iphone not showing up on mac with match
I have itunes match. I recently downloaded a couple of songs on my iphone 6 and even though I am updating match on my mac laptop, the songs are not showing up on my itunes library on the computer. I have not had this problem before.
Hi rlubarsky9,
Thanks for using Apple Support Communities. Based on what you stated, it sounds like songs are not showing up in the Mac. I would recommend that you read this article, it may be able to help the issue.
How to troubleshoot iTunes Match - Apple Support
If iTunes Match is already enabled on your computer or device, try turning iTunes Match off and then on again.
Mac: While holding down the option key, choose Store > Turn Off iTunes Match.
Turn iTunes Match on by selecting Store > Turn On iTunes Match.
Cheers,
Mario -
Can't add new MAC address to MAC ACL on Airport Express
Hi,
I just recently got a new iPhone 3GS. When I logged into my Airport Express to add it's MAC address to the ACL I found that the + icon was greyed out. I can modify old MAC addresses in the list and delete addresses, but I can't add new ones. Anyone have any idea why this might be the case. It seems like I can modify all other settings without any problems. I restarted the basestation, no help. I also even reset the password just incase, as you might expect that didn't help either. Any thoughts? Thanks.
Setup:
WDS with 2 other access points
Mac Address Access Control set to "Local"If you are configuring the router as MGCP, you do not enter the mac address, just the router name.
-
Music collection on different macs iTunes match
Good morning,
I look on different forums to try to find the following:
I would like to buy iTunes Match but our music collection is on 3 different mac (2 imacs and one macbook).
Off course we don't have the same music on all devices but we have a lot of redundance between myself, wife and kid.
SO if I choose iTunes Match will the music from the 3 devices go into the cloud and we will be able to choose what we want on our device.
I had to tell you that one of the iMac is not at home. IIt is where I spend my workweek. (so not on my homesharing)
Thanks,
Sorry for the language mistake but not a native english speaker.
Have a great day,
ChristopheWhat you want to do is possible. When you subscribe to iTunes Match all the computers/devices will need to use the same Apple ID. Add one computer at a time to iTM so as not to cause conflicts in the scanning.
-
Cover art on mac not match phone
I have had an issue with album artwork on my MacBook Pro not matching the artwork on my phone for 2 albums only.
MacBook has it correct, but phone shows completely different art, and both misaligned albums share the same art on phone as another album.
Phone: Album A and B have same art as album C, where album C is correct and album A and B incorrect.
I have gone into album info and manually added the correct cover art on computer, but phone still shows album C art.
Any suggestions?Hello bear199,
You may need to close and reopen the Videos app.
iOS: Understanding multitasking
http://support.apple.com/kb/HT4211
If there's still no poster image for the movie, you may need to delete and redownload it.
How to delete content you've downloaded from the iTunes Store, App Store, iBooks Store, or Mac App Store
http://support.apple.com/kb/HT5772
Download past purchases
http://support.apple.com/kb/HT2519
Cheers,
Allen -
ACL matching for traffic-shape...bug?
I am using a C6503-E.
My goal: create a traffic-shape rule on an interface (in this case g3/7) which will restrict all traffic between two internal addresses (10.0.0.7 and 10.1.0.6) on port 2152 to 128Kbps, and allow all other traffic to pass unfettered.
I am aware that the 6500 series ACLs are hardware based, and that some counters will not show up in the normal 'show access-list' display.
I have created an access list which increments when tagged with a 'log' modifier, so i know that it is hit when placed on the interface, but when referenced in a traffic-shape command, the traffic is not shaped. Unfortunately, the traffic-shape command will not allow the use of the 'log' modifier, so I'm stuck with my imperfect 'the ACL works in this scenario, but not this scenario' method.
Extended IP access list 195
10 permit udp host 10.0.0.7 eq 2152 host 10.1.0.6 eq 2152 log (2822 matches)
interface GigabitEthernet3/7
ip address 10.2.0.1 255.255.255.252
no ip redirects
traffic-shape group 195 128000 7936 7936 1000
Acc. Queue Packets Bytes Packets Bytes Shaping
I/F List Depth Delayed Delayed Active
Gi3/7 195 0 0 0 0 0 no
Any ideas on why an ACL wouldn't get hit in a traffic-shape rule, when it clearly gets hit when used strictly for access?
Thanks!Please post your entire QoS config.
Your access list is just doing matching; it is not doing any setting for your DSCP values.
Also, I think the Polycom's are IP precedence aware and set their outgoing VC packets to 5.
Also, matching protocol 46 (RSVP) isn't really going to help - RSVP does not transport application data. It is only used for requesting resources from the network.
Also, a Cisco search for QoS and Polycom returns this url: http://www.cisco.com/en/US/tech/tk652/tk701/technologies_tech_note09186a0080111c1b.shtml
-Eric -
My Mac and iPad OS/iOS are up to date. I've run Match several times so I presume it is up to date. However, I cannot get my iTunes libary to properly sync on my iPad. I have edited and added playlists that will not show up on iPad.
My OS is actually 10.10.2.
-
Will new Mac Mini match/outperform my '04 PowerMac Dual G5/1.8?
Hello,
For the past couple of years I've run a small video editing business using Final Cut Studio and my trusty PowerMac G5 1.8. I'm about to get out of that business, but want to still be able to edit using Final Cut from time to time. I want to be able to do all of the consumerish word processing, web, photo (iPhoto or Aperture), etc. I also play Unreal Tournament sometimes, but I'm not a hard core gamer.
My G5 -- with 3 GB RAM and the ATI Radeon 9600 XT w/128MB DDR SDRAM video card -- has been fine for all this. My question is: would a new Mac Mini let me down for any of the activities above, relative to my G5? Would I be able to run all of my Final Cut Studio apps? And, would UT run at least as well?
Thanks!Agreed the new macmini's especially with the new Nvidia cards blow the old macs out of the water when it comes to games!
"Even with just 1GB of RAM installed, the new Nvidia graphics performed much better than the Intel graphics of the previous Mac mini. The older Mac mini couldn’t even run our Call of Duty test, and struggled to get just 5.6 frames per second in our Quake 4 test. The new Mac minis, with 2GB of RAM installed, were able to push through nearly 7 times as many frames per second in that test.
http://www.macworld.com/article/139267/2009/03/macmini2009.html?t=109
Also here's a chart comparing just about every videocard ever made so you can see that the 9400 card is faster:
http://www.tomshardware.com/reviews/radeon-geforce-gtx,2270-6.html
p.s. Just make sure you get yourself at least 2GB of ram with it
Message was edited by: davi angel -
Why Doesn't Mac iCal Match iOS Cal Alert Options?
I have read all the issues with the wacky integration between iCal and iOS Cal integration. My question regards the options to set for alert on an event. I like the default options on the iPhone on 15 minutes, 1 hour, 2 hours, 1 day, 2 days. How can I get iCal to offer this same options when creating a new event on Mac OS X?
I am completely disgusted w/ Apple at this point!!! I've had my iPhone 5 for about a year now and I've NEVER been able to sync it w/ my pc (yes.......I've tried ALL the suggested fixes for my version of Windows, before anyone else starts regurgitating all the crap I've read thru a dozen times to no avail). Basically.....if you want to really address your problem by 'reinstalling' itunes; you'd better have your schedule for the ENTIRE NIGHT clear because you'll be waiting for itunes to download for a good 5 hours. (occasionally you'll read some knuckle head's feedback, who is probably an Apple employee, saying that it "only takes 5 minutes". I'd highly suggest not even paying attention to these morons!!
Yes I realize that I haven't contributed anything productive to this thread.....yes I realize it will irritate some people.....however they'll need to deal with it because at this point, I'm simply using this thread to 'vent' my frusteration w/ Apple. Horrible update!! Horrible support!! Horrible suggested fixes and even worse acknowledgment of your customer base's problems w/ your product!!! I'm seriously contemplating selling my iphone and going android again. Samsung's looking pretty good right about now!!
Maybe you are looking for
-
Report for Qty Receipt values ( O.K qty only )
Hi experts, I received 100 qty , Value Rs.100 thru tcode MIGO, movt type 101. But later on out of 100 qty, 50 qty got rejected thru tcode QA32. The value appearing in MB51 report is Rs. 100. Is there any report in standard SAP where value for O.K
-
Can anyone help me? The iTunes update corrupted my program. I uninstalled, and then reinstalled iTunes; only to find an error message about iTunes Helper. After several fruitless, repeat attempts, I am at a loss. Please help-
-
I need a script that will find the computer a user last logged into.
I am still learning scripting, I need a script that will allow me to pull in usernames from a csv file. Find what computer they last logged into and output that to an csv file. I have looked all over and can't find exactly what I need. I found the f
-
Interactive Rating Stars for XSLTListView Blog Home Page
Hi All, using the OOTB blog site template, I'd like to modify the OOTB List View Web Part (using SharePoint Designer) on the home page of the blog site to also include interactive rating stars next to each entry's title. So far I've been able to get
-
Performance issue.... ( varchar2 - clob ).
Hi all, I have a table ( data ) with the following configuration : id number(10), value charchar2(500) I need to convert the value field from type varchar2 to clob. for that I done the following: SQL>create table temp as select * from data; Table cre