«

hello, I have a cisco 3750 with IOS 12.2(25)SEA EMI version.
I added MAC layer 2 acl on my vlan in the ingress port
that is the port the switch is attached as uplink.

interface GigabitEthernet1/0/1
no mdix auto
mac access-group lan-fi in

mac access-list extended lan-fi
deny host 0002.b3b1.82f8 any
deny host 00c0.49da.a072 any
deny host 0002.b392.6c90 any
deny host 0008.0d0f.16ff any
deny host 0011.433e.1751 any
permit any any

everything seems to work fine and mac addresses in the acl
are blocked. THey are blocked everyhere but not on port 18

on this port is attached a computer which is responsible for doing nat
and his ip is 172.16.0.253

there is a policy route configuration on my 3750 for
routing packets which needs to be natted:

route-map eratostene permit 111
match ip address 111
set ip next-hop 172.16.0.253

access-list 111 deny ip 172.16.0.0 0.0.255.255 192.84.x.0 0.0.0.255
access-list 111 deny ip 172.16.0.0 0.0.255.255 193.206.x.0 0.0.0.255
access-list 111 deny ip 172.16.0.0 0.0.255.255 172.16.0.0 0.0.255.255
access-list 111 permit ip 172.16.0.0 0.0.255.255 any
access-list 111 permit ip 172.17.17.0 0.0.0.255 any

the policy routing rules works fine.
What happens is that MAC Addresses of the mac ACL are not blocked
for this host 172.16.0.253 which is in the policy routing configuration.
Looks like access-list 111 is processed before the mac access list
and that the mac access list is not processed for frames which goes to port
18 (host 172.16.0.253)

so mac addresses I want to filter still goes to Gigabit port 18
and are not filtered.

how can I Solve this problem?

thanks

Rick