Options

MAC Access List Question

FuturaFutura Member Posts: 191
in CCNA & CCENT
Can somebody please help me understand something?

Whats the difference between typing just the MAC address or typing host then the MAC Address?


Switch2(config)#mac access-list extended NAME
Switch2(config-ext-macl)#deny ?
H.H.H 48-bit source MAC address
any any source MAC address
host A single source host

or

Switch2(config-ext-macl)#deny host ?
H.H.H 48-bit source MAC address

As the source.

Many Thanks
· Share on FacebookShare on Twitter

Comments

  • Options
    SharkDiverSharkDiver Member Posts: 844
    Aha!
    I learned something new on this one.

    When you put the MAC address in without "host", the IOS will expect that to be followed by a source-mac-address-mask very similar to the way you would do a regular ACL. The mask would be entered in the format of the MAC address (xxxx.xxxx.xxxx) or could be abbreviated to 0.0.0

    When you use "host" before the MAC address, you can then skip the mask just like in a regular ACL.

    I had never seen this before, but it is on this Cisco document here:
    (The link should take you right to the section, but if it doesn't, it's in the "mac access-list extended" section.)
    Cisco IOS LAN Switching Command Reference - mac address-group through revision* [Support] - Cisco Systems
    · Share on FacebookShare on Twitter
  • Options
    SharkDiverSharkDiver Member Posts: 844
    Another interesting thing is that the mac-address-mask is actually more of a "wildcard mac-address-mask".
    0.0.0 is the same as using the "host" command.
    · Share on FacebookShare on Twitter
  • Options
    RoguetadhgRoguetadhg Member Posts: 2,489 ■■■■■■■■□□
    SharkDiver wrote: »
    Another interesting thing is that the mac-address-mask is actually more of a "wildcard mac-address-mask".
    0.0.0 is the same as using the "host" command.

    Basicly works like a normal ACL, just with Mac addresses.

    I could see MAC addressing ACLs useful for allowing a small number of users with a large DHCP through to a destination. I can't think of any other way. I has a headache -_-
    In order to succeed, your desire for success should be greater than your fear of failure.
    TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams

    · Share on FacebookShare on Twitter
  • Options
    CodeBloxCodeBlox Member Posts: 1,363 ■■■■□□□□□□
    Didn't know there was such a thing as a MAC ACL. BUT, it looks like (as stated above) that it works just like an IP ACL where you specify your wild card mask. I believe "host" translates to 0.0.0.0 in an IP ACL.
    Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
    · Share on FacebookShare on Twitter
  • Options
    SharkDiverSharkDiver Member Posts: 844
    Yes, it works just like an IP ACL.
    I just thought it was interesting that they didn't refer to the mask as a wildcard mask, even though it obviously is.
    · Share on FacebookShare on Twitter
  • Options
    FuturaFutura Member Posts: 191
    superb, thank you.

    B]no[/B {permit | deny} {{src-mac mask | any} {dest-mac mask | any} I]protocol[/I] [[B]vlan[/B] [I]vlan[/I B]cos[/B] [I]value[/I]}

    Enter MAC-address masks as three 4-byte values in dotted hexadecimal format. Use 1 bit as a wildcard. For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0).

    can any body think of a situation where you would use this feature, especially as they are inbound only!


    SharkDiver wrote: »

    When you put the MAC address in without "host", the IOS will expect that to be followed by a source-mac-address-mask very similar to the way you would do a regular ACL. The mask would be entered in the format of the MAC address (xxxx.xxxx.xxxx) or could be abbreviated to 0.0.0

    When you use "host" before the MAC address, you can then skip the mask just like in a regular ACL.

    · Share on FacebookShare on Twitter
Sign In or Register to comment.