The following is an example. Station A is connected to port 5, and Station B is connected to port 9. Station A has the MAC address 00-0B-CD-35-6A-00 (ip

address: 10.0.0.1 255.255.255.0). Station B has the MAC address 00-06-6B-C7-A1-D8 (ip address: 10.0.0.2 255.255.255.0).

To implement a MAC ACL on port 5 to allow all traffic to move from Station A to Station B, enter the following CLI commands

permit source mac address destination mac address

permit 00-0B-CD-35-6A-00 0.0.0.0.0.0 00-06-6B-C7-A1-D8 0.0.0.0.0.0

All traffic that matches the ACL passes the traffic, and all other traffic is denied. (There is an additional promiscuous deny all entered at the end of the ACL.)

For the above example, Station A is trying to send ICMP ECHO to Station B. The ICMP fails, even if it is permitted by the MAC ACL. The problem is that Station A

is trying to send the ICMP ECHO to Station B, but it does not have an entry in the ARP table. Station A tries to get the MAC address of Station B by ARP

request that is the broadcast frame with the source MAC of Station A (00-0B-CD-35-6A-00) and destination broadcast (FF.FF.FF.FF.FF.FF). This frame is silently

dropped because it does not match the MAC ACL that was set up on port 5.

To solve this issue, the user has to enter the additional permit line that allows the broadcast frame:

permit 00-0B-CD-35-6A-00 0.0.0.0.0.0 FF.FF.FF.FF.FF.FF 0.0.0.0.0.0

NOTE:

Even though a user intends to permit traffic from MAC address A to MAC address B, the user cannot succeed with simple traffic like ICMP,

because the additional broadcast is not taken into consideration.

The following table summarizes the equivalent CLI commands for assigning MAC based ACEs to ACLs as displayed in the Add ACE to MAC Based ACL page.

CLI Command

mac access-list name

permit {any | {host source source-wildcard} any | {destination destination-

wildcard}}[vlan vlan-id]

deny [disable-port] {any | {source source- wildcard} any | {destination destination-