The reason why the port forwarding is not working with the access-list applied to the interface is quite simple.
Let's see what happens when the outside client requests the https webpage.
The destination port in the request packet is 443, while the source port is random. This request gets translated by nat at the router, then goes all the way to the server, server answers with the packet sourced from port 443 and destined to that client's random number port.
The packet in its journey back to the client gets to your router, but router wouldn't let the packet leave, because the destination port (that random port) is not specified in the access-list you have created.
And that would be the reason you are looking for.
First, like the others have mentioned you have no bridging loop here due to running a Portchannel. That said, running STP is still fine. Let me clear some confusions on how these commands work on Cisco switches.
spanning-tree portfast trunk
This command is supposed to be run on trunk ports towards non bridging devices, such as a server with multiple VLANs or a router. This command should not be run on trunks towards switches because the port will bypass the listening and learning phase which could potentially create a bridging loop.
If you have an interface configured like this:
interface x/x
spanning-tree portfast
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
BPDU guard will never kick in because BPDU filter is filtering both the outgoing and incoming BPDUs. This also means that the port can never lose its Portfast status which it would normally do if BPDUs were received inbound. If you remove the filter then BPDU guard will kick in and shutdown the port if a BPDU is received. This is done before the port can lose its Portfast operatational state so basically the port will always operate in Porfast operational mode.
If you apply the commands globally instead:
spanning-tree portfast default
spanning-tree portfast bpdufilter default
spanning-tree portfast bpduguard default
The first command enables Portfast on all access ports.
When BPDU filter is applied globally, the difference is that it sends out 11 BPDUs before going silent. Because normally one BPDU is sent out every 2 seconds and the default MaxAge is 20 seconds that means that if there is a device at the other end that can process BPDUs, at least one BPDU would be received when the old BPDU (if there was one) has expired.
If a BPDU is received inbound when BPDU filter is applied globally then the port stops filtering and it will lose its Portfast status.
The BPDU guard default command will only apply to ports that are in a Portfast operational state.
If you combine these three commands together then what will happen is that when a BPDU is received the port loses its BPDU filter, BPDU guard can then kick in. The port will never lose its Portfast operational state because the port is shutdown before.
So you see when applied to the interface BPDU guard can never kick in but if you apply it globally it can.
If you run just Portfast globally and BPDU filter globally then if a BPDU comes in, the port loses the filter and loses the Portfast operational state and will operate as a normal port.
Best Answer
It sounds like you are running out of the limited TCAM space. You could change the SDM. If you are not using this as a layer-3 switch with routing, you could use the
sdm prefer accesscommand to increase the TCAM space for ACLs. This command requires you to reload the switch for it to take effect.This seems like a lot of work for little to no gain. It is very simple to spoof or change a MAC address in a host. Trying to restrict access based on MAC addresses is a fool's game. Anyone could waltz in there and clone a MAC address for his device to connect to your network. There are much better ways to do this. See this question, its comments, and its answers. There are also other question and answer on this site if you search.