hello, I have a cisco 3750 with IOS 12.2(25)SEA EMI version. I added MAC layer 2 acl on my vlan in the ingress port that is the port the switch is attached as uplink.
interface GigabitEthernet1/0/1 no mdix auto mac access-group lan-fi in
mac access-list extended lan-fi deny host 0002.b3b1.82f8 any deny host 00c0.49da.a072 any deny host 0002.b392.6c90 any deny host 0008.0d0f.16ff any deny host 0011.433e.1751 any permit any any
everything seems to work fine and mac addresses in the acl are blocked. THey are blocked everyhere but not on port 18
on this port is attached a computer which is responsible for doing nat and his ip is 172.16.0.253
there is a policy route configuration on my 3750 for routing packets which needs to be natted:
route-map eratostene permit 111 match ip address 111 set ip next-hop 172.16.0.253 access-list 111 deny ip 172.16.0.0 0.0.255.255 192.84.x.0 0.0.0.255 access-list 111 deny ip 172.16.0.0 0.0.255.255 193.206.x.0 0.0.0.255 access-list 111 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255 access-list 111 permit ip 172.16.0.0 0.0.255.255 any access-list 111 permit ip 172.17.17.0 0.0.0.255 any
the policy routing rules works fine. What happens is that MAC Addresses of the mac ACL are not blocked for this host 172.16.0.253 which is in the policy routing configuration. Looks like access-list 111 is processed before the mac access list and that the mac access list is not processed for frames which goes to port
18 (host 172.16.0.253)so mac addresses I want to filter still goes to Gigabit port 18 and are not filtered.
how can I Solve this problem?
thanks
Rick