3324/48 Unable to bind MAC ACL

I notice you are setting the port configuration to fix speed and duplex.  This may cause serious problem in your network unless you are certain that both side of the links are configured to the same speed/duplex setting.  If you configure the port on this switch to fix but the other switch is configured as auto-negotiation (especially if the other side of this connection is in a provider network and you have no control of it or is the other side is a NIC on a workstation where you cannot change the setting to also be fixed instead of auto), then it is more then likely then you will end up with a duplex mismatch on your network - likely on the side that is configured as auto-negotation.  If this happens you will start to notice very poor performance at first then eventually total link failure may occur.  This is a very typical problem in the network.  It is incorrect to assume that if you force the configuration on one side and if the other is set to auto-negotiation that the other side will correctly negotiate to the same speed you configured.  Instead by standard definition if one side is configured to fix speed/duplex and the other side is setup to auto-negotiation, the auto-negotiation will actually link up to correct speed but half-duplex instead.  This is a very bad problem to have.

BTW for this particular problem you are trying to solve - namely only allowed specific MAC into the switch on a given port, it might be easier to use the "port security" feature on the switch to do that - look at this section: <ADMIN NOTE: Broken link has been removed from this post by Dell>

The way you want to do this is first to allow the switch to learn all the MACs for all the system you want to allow on (make the end system send some message - ping or whatever to cause the switch to learn the MAC).  Once you get them on the switch ("show bridge address" will show you what was learned) then lock the port so that it will no longer learn any new address (use "port security" command).  After that you can add new MAC statically to the port using the "bridge address" command and remove the MAC you don't want using "no bridge address" command.  Once you enable port security only known fixed MAC will be allowed (you actually can setup your policy using these commands - see the section above).

Cuong.

Hi Cuong,

Many thanks for your help.  I wiped out the switch and reloaded the latest BIOS on it:

332448-1206.dos

Unfortunately I am still having the same problem.  I created the ACL in the line console via hyperterminal with the:

console(config)# mac access-list kappa

I then copy and pasted in my master MAC list of 130 entries.  They look like this int he original document:

permit 00:00:c5:85:4b:cc 00:00:00:00:00:00 any vlan 1
permit 00:0f:1f:b4:2c:14 00:00:00:00:00:00 any vlan 1
permit 00:0d:56:e8:4c:d5 00:00:00:00:00:00 any vlan 1
permit 00:e0:b8:70:71:ac 00:00:00:00:00:00 any vlan 1

I slowed down the line speed to 1500 ms to make sure that no entries were misentered.  After that I did:

console(config)# int eth 1/e1
console(config-if)# service-acl input kappa
console(config-if)# exit
console(config)# int eth 1/e2
console(config-if)# service-acl input kappa
console(config-if)# exit
console(config)# int eth 1/e3
console(config-if)# service-acl input kappa
Can't apply kappa to interface 1/e3, due to lack of HW resources
console(config-if)# exit
console(config)# exit
console# show interface access-lists
Interface        Input ACL
---------        ----------
1/e1             kappa
1/e2             kappa

So not only does it fail to apply on 1/e3 but I verified that a network card that isn't in my master MAC list can still hit the router, which is connected to 1/e1.  I know this because it is able to get an IP address via DHCP.  Below is my saved config file (with the MAC addresses and password info excised again) in case that is of use to you:

Hi, I investigated this problem and one of my colleague told me about a known ASIC limitation on this switch which will prevent you from actually applying the documented 248 ACEs per FE port.  Apparently there are multiple banks of ports: FE ports 0-7, FE ports 8-15, FE ports 16-23, GE port 24, and GE port 25 which are actually sharing the ACEs rules and masks.  Each table has 128 entries (123 are usable) and 16 masks (12 are usable).  Because of this limit the switch ASIC actually doesn't allow you to configure as many ACEs per FE as would theoretically be possible on this design.

As for using the "port security" function.  I think you can still use it.  I'm assuming that you do know the set of all MACs that the mobile users will be using?  Even if you were using ACL you would still need to know all those MACs correct?  So with ACL you were trying to setup a list of MACs and apply them to each port.  Using the "port security" feature you would add the fixed MACs to the ports on which they would enter.  For the mobile MACs which I assume were much less then the 130 MACs you mentioned.  You can either add all those mobile MACs even if they were not always active to the ports to which they would connect if they were active; or if that doesn't work, then for the smaller set of mobile MACs you can go ahead and create the ACL with those MACs and add them to the ports.  So you may be able to work around this problem using both "port security" (for the static MACs) and ACL/ACEs for the mobile MACs (assuming there are much less mobile MACs).