MAC Access List Question

Can somebody please help me understand something?

Whats the difference between typing just the MAC address or typing host then the MAC Address?

Switch2(config)#mac access-list extended NAME
Switch2(config-ext-macl)#deny ?
H.H.H 48-bit source MAC address
any any source MAC address
host A single source host

or

Switch2(config-ext-macl)#deny host ?
H.H.H 48-bit source MAC address

As the source.

Many Thanks

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

SharkDiver

Aha!
I learned something new on this one.

When you put the MAC address in without "host", the IOS will expect that to be followed by a source-mac-address-mask very similar to the way you would do a regular ACL. The mask would be entered in the format of the MAC address (xxxx.xxxx.xxxx) or could be abbreviated to 0.0.0

When you use "host" before the MAC address, you can then skip the mask just like in a regular ACL.

I had never seen this before, but it is on this Cisco document here:
(The link should take you right to the section, but if it doesn't, it's in the "mac access-list extended" section.)
Cisco IOS LAN Switching Command Reference - mac address-group through revision* [Support] - Cisco Systems

SharkDiver

Another interesting thing is that the mac-address-mask is actually more of a "wildcard mac-address-mask".
0.0.0 is the same as using the "host" command.

Roguetadhg

SharkDiver wrote: »

Another interesting thing is that the mac-address-mask is actually more of a "wildcard mac-address-mask".
0.0.0 is the same as using the "host" command.

Basicly works like a normal ACL, just with Mac addresses.

I could see MAC addressing ACLs useful for allowing a small number of users with a large DHCP through to a destination. I can't think of any other way. I has a headache -_-

CodeBlox

Didn't know there was such a thing as a MAC ACL. BUT, it looks like (as stated above) that it works just like an IP ACL where you specify your wild card mask. I believe "host" translates to 0.0.0.0 in an IP ACL.

SharkDiver

Yes, it works just like an IP ACL.
I just thought it was interesting that they didn't refer to the mask as a wildcard mask, even though it obviously is.

Futura

superb, thank you.

B]no[/B {permit | deny} {{src-mac mask | any} {dest-mac mask | any} I]protocol[/I] [[B]vlan[/B] [I]vlan[/I B]cos[/B] [I]value[/I]}

Enter MAC-address masks as three 4-byte values in dotted hexadecimal format. Use 1 bit as a wildcard. For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0).

can any body think of a situation where you would use this feature, especially as they are inbound only!

SharkDiver wrote: »

When you put the MAC address in without "host", the IOS will expect that to be followed by a source-mac-address-mask very similar to the way you would do a regular ACL. The mask would be entered in the format of the MAC address (xxxx.xxxx.xxxx) or could be abbreviated to 0.0.0

When you use "host" before the MAC address, you can then skip the mask just like in a regular ACL.