1

I have a weird issue, I created a mac access-list with the list of all permitted mac-addresses. It is working on all except one machine, once the access list is configured on interface, the connection drops. It is one of the ESXi servers.

Note: I am sure of the mac address It is working on the same switch for other ESXi servers

config t
no mac access-list extended MAC-Permit
mac access-list extended MAC-Permit
permit host XXXX.XXXX.XXXX any
...(many others, 100s)
deny any any
end

Apply the filter

config t
interface range G2/0/1-29
no mac access-group MAC-Permit in
mac access-group MAC-Permit in
end

Thanks

mkorayem
  • 11
  • 2
  • Can you provide us the relevant logging information? And I believe there is a **show interface GiX/X ..." command that shows information on this stuff. – Tommiie Oct 17 '18 at 12:47
  • Is there a way to see logs on screen live? – mkorayem Oct 17 '18 at 13:00
  • Either **show loggin** will show the previous logs assuming you've set your buffer size large enough. And I believe **terminal monitor** will show them on screen in real time, which can be very annoying so you should not enable it and only check via **show logging**. – Tommiie Oct 17 '18 at 13:02
  • Still cannot see the logs for MAC access list – mkorayem Oct 17 '18 at 14:55
  • Now I found something weird. Sometimes it works, sometimes not all that according to what other mac addresses are there in the access-list e.g. If we have mac addresses for 4 machines A,B,C and D where A is the machine we have issues with. If access list contains A, B and C it works, If I added D it blocks – mkorayem Oct 17 '18 at 20:57
  • Hi @Tom This is not port-security, I am using the mac access-list. Is there an option for maximum number of ACEs in an ACL, because now I found that it seems that 429 is the limit !! Thanks – mkorayem Oct 18 '18 at 08:05
  • My suggestion is that it is the fact that esxi has many multiple macs. Maybe one doesn't always talk? What i would do is mirror a port into esxi another server, and then run wireshark, and see every single mac that is coming through. Maybe you missed one? Another option is to disable it on the esxi port, and run `show mac address-table interface gi0/0` (if the esxi is on 0/0)... this will allow you to see all the macs that are popping onto the port – Robert Cotterman Oct 22 '18 at 04:12
  • Also to enable logging from the access-list, the final line should be `deny any any log` – Robert Cotterman Oct 22 '18 at 04:16

0 Answers0