Cisco C1900 on 1921/K9 router. Mac address ACL

ciscocisco-commands

I would like to configure a MAC ACL on my cisco router. From the official CISCO documentation I can see this is done by typing:

cisco# configure terminal
cisco(config) # mac access-list <mac-list-name>

However when I use this I get:

cisco(config)#mac access-list mac-Permit
                   ^
% Invalid input detected at '^' marker.

I noticed in config mode there is a command of it's own called access-list and in here I assume I can use this to configure single rules. Is this where it is supposed to be done or am I missing something? Why does the mac access-list command not work? Is it not supported on my software version.

Version: c1900-universalk9-mz.SPA.153-1.T1.bin – 15.0(1r)M16

Thanks in advanced.

Best Answer

MAC access lists can be defined numerically in any standard IOS in the ranges of 1100-1199 for extended or 700-799 for basic, as such:

router(config)#access-list ?
  <1-99>            IP standard access list
  <100-199>         IP extended access list
  <1100-1199>       Extended 48-bit MAC address access list
  <1300-1999>       IP standard access list (expanded range)
  <200-299>         Protocol type-code access list
  <2000-2699>       IP extended access list (expanded range)
  <2700-2799>       MPLS access list
  <300-399>         DECnet access list
  <700-799>         48-bit MAC address access list
  compiled          Enable IP access-list compilation
  dynamic-extended  Extend the dynamic ACL absolute timer
  rate-limit        Simple rate-limit specific access list

router(config)#

So - that's how you define a mac access list. As per my comment, however, it may not behave the way you think it does. It's actually intended for use with bridging - so, for example, blocking a specific MAC address from passing through a bridge group.

It's not really analogous to the MAC filtering you might find on a consumer router in that there isn't a way to simply say "don't accept traffic from mac address x" on a standard routed interface. If you want to use IRB (see CCO Transparent Bridging Configuration Guide) you could put the IP on a BVI and then join it and one or more Ethernet interfaces into a bridge-group and then apply MAC filters via access-expressions on the physical interfaces (...thus allowing/preventing certain MAC addresses, or ranges of addresses, from making it to the BVI).

The best way to put it might actually be that the sort of MAC filtering you see on a consumer network device is actually part of the switch (..to include any integrated AP) while IP-based rules are likely part of the router. To this end - if you were using a Cisco switch then you could apply MAC filters in a pretty straightforward way via VACL's or PACL's. On a device acting as a pure router, however, it's going to be a different story.

Related Topic