I don't think you can filter based on MAC with Ethernet... There is a technology in which you can, but I'm drawing a blank on what it was. I think it was Token Ring only or some such nonsense. I think that it's irrelevant, however, since it's still a router function and the switching engine is still going to blissfully forward packets and ignore your access-lists.
--Tim Christian Fredrickson wrote: > > IP standard access list > IP extended access list > IP standard access list (expanded range) > IP extended access list (expanded range) > > Then is it possible to create an access list based on the host > MAC address? > > Chris > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] > Sent: Thursday, May 02, 2002 8:36 AM > To: [EMAIL PROTECTED] > Subject: RE: Problem with access-list [7:43021] > > > OK, I'm not an all-powerful CCIE, but I'll take a stab at this. > > Applying an access list to a switch is only going to limit > access to and > from your management interface. Switched traffic through the > switch is > still switched traffic, and by and large, a switch doesn't ever > look at IP > information, thus wouldn't filter anything based on an IP > address. > > That would explain why you can't ping the host from the switch > (I'd imagine > you are getting a "Request Timed Out") but the traffic from the > outside > world still gets through. > > Also, What's up with the "2000" access list? Would not an > extended IP list > be 100-199? > > --Tim > > Christian Fredrickson wrote: > > > > Running a Cisco switch 3548XL > > Trying to block a specific IP address. The access-list looks > > like: > > (I substituted the IP addresses) > > access-list 2000 deny ip host ip_address any > > access-list 2000 permit ip range.0 0.0.0.255 any > > access-list 2000 deny ip any any > > > > All ports on this switch belong to the same VLAN and all other > > switches use > > this switch to get to the upper layer switch and use that to > > get to the > > router. The vlan looks like: > > (I substituted the IP addresses) > > interface VLAN1 > > description line > > ip address switch_ip 255.255.255.0 > > ip access-group 2000 in > > > > But I can still ping the host from external addresses. Why is > > this ACL not > > working? > > > > Thank you all in advance. > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=43153&t=43021 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]