[c-nsp] Cisco 2960 12.2(50)SE3 - MAC ACL Deny Statement Allowing DHCP Traffic Through?

Spencer Barnes spencer at ceiva.com
Thu Aug 13 17:02:09 EDT 2009


Hello,

 

I have a Cisco 2960 running 12.2(50)SE3
(c2960-lanbasek9-mz.122-50.SE3.bin).  Interface FA0/1 is an uplink to
the main network/DHCP server and has no restrictions.  FA0/19 is
connected to a switch and that switch has a variety of wireless access
points.  I want to restrict inbound access on FA0/19 to certain MAC
addresses.  

 

Port FA0/19 has a mac access-group assigned to it and here is the
corresponding mac access-list:

 

mac access-list extended frames

permit host 0000.0000.0001 any

deny host 0000.0000.0002 any

 

Somehow the denied client (0000.0000.0002) is getting DHCP.  I sniffed
traffic from the DHCP server and indeed, the denied MAC address was
making it through.  The client is unable to route after getting DHCP so
this is almost working but I can't have the denied clients successfully
negotiating DHCP before getting blocked.  

 

Switchport port-security is working but I don't want to use this method.
Scrapping the access-list configuration, if I set switchport security on
FA0/19 to a maximum of 1 and add the permitted host (switchport
port-security mac-address 0000.0000.0001), the denied host is unable to
route or get DHCP.  

 

Why does the mac access-list allow the denied host to push DHCP traffic
through and how do I prevent this?



 

Spencer



More information about the cisco-nsp mailing list