MAC Access List Question
Futura
Member Posts: 191
in CCNA & CCENT
Can somebody please help me understand something?
Whats the difference between typing just the MAC address or typing host then the MAC Address?
Switch2(config)#mac access-list extended NAME
Switch2(config-ext-macl)#deny ?
H.H.H 48-bit source MAC address
any any source MAC address
host A single source host
or
Switch2(config-ext-macl)#deny host ?
H.H.H 48-bit source MAC address
As the source.
Many Thanks
Whats the difference between typing just the MAC address or typing host then the MAC Address?
Switch2(config)#mac access-list extended NAME
Switch2(config-ext-macl)#deny ?
H.H.H 48-bit source MAC address
any any source MAC address
host A single source host
or
Switch2(config-ext-macl)#deny host ?
H.H.H 48-bit source MAC address
As the source.
Many Thanks
Comments
-
SharkDiver Member Posts: 844Aha!
I learned something new on this one.
When you put the MAC address in without "host", the IOS will expect that to be followed by a source-mac-address-mask very similar to the way you would do a regular ACL. The mask would be entered in the format of the MAC address (xxxx.xxxx.xxxx) or could be abbreviated to 0.0.0
When you use "host" before the MAC address, you can then skip the mask just like in a regular ACL.
I had never seen this before, but it is on this Cisco document here:
(The link should take you right to the section, but if it doesn't, it's in the "mac access-list extended" section.)
Cisco IOS LAN Switching Command Reference - mac address-group through revision* [Support] - Cisco Systems -
SharkDiver Member Posts: 844Another interesting thing is that the mac-address-mask is actually more of a "wildcard mac-address-mask".
0.0.0 is the same as using the "host" command. -
Roguetadhg Member Posts: 2,489 ■■■■■■■■□□SharkDiver wrote: »Another interesting thing is that the mac-address-mask is actually more of a "wildcard mac-address-mask".
0.0.0 is the same as using the "host" command.
Basicly works like a normal ACL, just with Mac addresses.
I could see MAC addressing ACLs useful for allowing a small number of users with a large DHCP through to a destination. I can't think of any other way. I has a headache -_-In order to succeed, your desire for success should be greater than your fear of failure.
TE Threads: How to study for the CCENT/CCNA, Introduction to Cisco Exams -
CodeBlox Member Posts: 1,363 ■■■■□□□□□□Didn't know there was such a thing as a MAC ACL. BUT, it looks like (as stated above) that it works just like an IP ACL where you specify your wild card mask. I believe "host" translates to 0.0.0.0 in an IP ACL.Currently reading: Network Warrior, Unix Network Programming by Richard Stevens
-
SharkDiver Member Posts: 844Yes, it works just like an IP ACL.
I just thought it was interesting that they didn't refer to the mask as a wildcard mask, even though it obviously is. -
Futura Member Posts: 191superb, thank you.
B]no[/B {permit | deny} {{src-mac mask | any} {dest-mac mask | any} I]protocol[/I] [[B]vlan[/B] [I]vlan[/I B]cos[/B] [I]value[/I]}
Enter MAC-address masks as three 4-byte values in dotted hexadecimal format. Use 1 bit as a wildcard. For example, to match an address exactly, use 0000.0000.0000 (can be entered as 0.0.0).
can any body think of a situation where you would use this feature, especially as they are inbound only!SharkDiver wrote: »
When you put the MAC address in without "host", the IOS will expect that to be followed by a source-mac-address-mask very similar to the way you would do a regular ACL. The mask would be entered in the format of the MAC address (xxxx.xxxx.xxxx) or could be abbreviated to 0.0.0
When you use "host" before the MAC address, you can then skip the mask just like in a regular ACL.