ip and mac acl on one port?

Question

hello i am trying to set up acl allowing me to communicate from port with one specific mac and one specific IP.

I am using Dell 62xx switches.

ATM moment i have something like this:

access-list p17in permit ip a.a.a.a 0.0.0.0 any
access-list p17in permit icmp a.a.a.a 0.0.0.0 any
mac access-list extended p17in
permit aaaa:aaaa:aaaa 0000.0000.0000 any
exit

interface ethernet 1/g17
mac access-group p17in in 2
ip access-group p17in in 3

So in this case always only first access-list (with lower sequence number in interface section) works. I understand why, but I have no idea how to make both acl work at same time (only one mac address and only one ip address)

any ideas?

DELL-Josh Cr · Answer

Hi, Once it matches the permit on one of the ACLs it is allowed and it doesn’t test the second ACL. Having both rules will block things that don’t match either, but if one matches it will permit.

kszysiu · Answer

Thank you for your reply.It's imposible IMHO to left 1IP this way.if i had 128.0.0.1 then i should: deny 0.0.0.0 255.255.255.127 any deny 128.0.0.2 0.0.0.1 any deny 128.0.0.3 0.0.0.2 any (1000 ACE later) deny 129.0.0.0 0.255.255.255 any(and any other /8 or bigger subnet)   As far as I know, there is no way to do: deny not 0.0.0.0 any So i am wondering if there is simply way to make what I want. Or its just impossible with those switches?I want to accept only one mac address with one specific IP.

Networking General

ip and mac acl on one port?

Was this post helpful?