topic VLAN mac address filtering in Network Security

VLAN mac address filtering

Garage Irvine — Tue, 12 Mar 2019 07:31:59 GMT

Good morning

I am trying to figure out how to configure vlan ACL to filter mac addresses. And cannot make it work!

The goal is to block all mac-addresses inside vlan except those are permitted.

I found a great article which declares the same in the other way: block certain macs and pass all the rest.http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3550-series-switches/64844-mac-acl-block-arp.html

So I made a similar confiuration for my requirements.

But this setup ain't working as I want. What I see is that all traffic inside this vlan is blocked even those hosts which are permitted.

Here's configuration:

mac access-list extended secure
permit host 0800.27a5.05c5 any
permit any host 0800.27a5.05c5
permit host 3c97.0e26.f302 any
permit any host 3c97.0e26.f302
permit host b40c.258e.e401 any
permit any host b40c.258e.e401
permit host 001a.6d55.fc42 any
permit any host 001a.6d55.fc42
deny any any
!
!
vlan access-map block_hosts 10
action forward
match mac address secure
!

vlan filter block_hosts vlan-list 505

Tried some other configurations with filters, even adding ethertypes - no way, all traffic is blocked inside vlan.

Also tried to add rhis in the end:

vlan access-map block_hosts 20
action drop

Removing 'access-list'а deny any any' - also didn't help.

If I following the doc and make some macs denied and the rest permitted — all works fine. But no for vice versa.

I have also tried adding all mac addresses belonging to all catalyst interfaces, even to CPU, but no luck either.

Could someone help?

Forgot to mention hardware:

Garage Irvine — Tue, 22 Mar 2016 14:04:45 GMT

Forgot to mention hardware:

Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 11-Feb-15 11:40 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000

ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

I tried to use port-security to filter all mac-addresses except certain and it works fine, but it's not an option, since we have many catalyst and ports and it'l be a nightmare to maintain.

This configuration blocks all

Garage Irvine — Tue, 22 Mar 2016 14:08:52 GMT

This configuration blocks all traffic as well:

mac access-list extended secure
permit host 0800.27a5.05c5 any
permit any host 0800.27a5.05c5
permit host 3c97.0e26.f302 any
permit any host 3c97.0e26.f302
permit host b40c.258e.e401 any
permit any host b40c.258e.e401
permit host 001a.6d55.fc42 any
permit any host 001a.6d55.fc42
!
!
mac access-list extended not-secure
permit any any
!

!
vlan access-map block_hosts 10
action forward
match mac address secure
!
!
vlan access-map block_hosts 20
action drop
match mac address not-secure
!
vlan filter block_hosts vlan-list 505

This is also blocks all traffic:

mac access-list extended not-secure
permit any any
mac access-list extended secure
permit host 0800.27a5.05c5 any
permit any host 0800.27a5.05c5
permit host 3c97.0e26.f302 any
permit any host 3c97.0e26.f302
permit host b40c.258e.e401 any
permit any host b40c.258e.e401
permit host 001a.6d55.fc42 any
permit any host 001a.6d55.fc42

ip access-list extended allow
permit ip any any
!
!

!
vlan access-map block_hosts 10
action forward
match mac address secure
match ip address allow
vlan access-map block_hosts 20
action drop
match mac address not-secure
!

vlan filter block_hosts vlan-list 505

#show access-lists
Extended IP access list allow
    10 permit ip any any (323 matches)
Extended MAC access list not-secure
    permit any any
Extended MAC access list secure
    permit host 0800.27a5.05c5 any
    permit any host 0800.27a5.05c5
    permit host 3c97.0e26.f302 any
    permit any host 3c97.0e26.f302
    permit host b40c.258e.e401 any
    permit any host b40c.258e.e401
    permit host 001a.6d55.fc42 any
    permit any host 001a.6d55.fc42

#show arp  | i 155
Internet  192.168.155.34          0   Incomplete      ARPA
Internet  192.168.155.10          -   001a.6d55.fc42  ARPA   Vlan505

192.168.155.10 - local catalyst address

All is good when no vlan-list applied:

#sh arp
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  192.168.155.34          5   3005.5c7c.47f4  ARPA   Vlan505
Internet  192.168.155.1           2   b40c.258e.e401  ARPA   Vlan505

Internet 192.168.155.10 - 001a.6d55.fc42 ARPA Vlan505

And this don't work either:

Garage Irvine — Tue, 22 Mar 2016 14:11:21 GMT

And this don't work either:

!
vlan access-map block_hosts 10
action drop
match mac address not-secure
vlan access-map block_hosts 20
action forward
match mac address secure
match ip address allow
!
vlan filter block_hosts vlan-list 505
vlan internal allocation policy ascending
lldp run
!
!
!
ip access-list extended allow
permit ip any any

Maybe debugging would help? Don't know what to dig really

I am also seeing the same

Dan Smith — Mon, 05 Jun 2017 21:32:15 GMT

I am also seeing the same behavior on my 3560X....blacklisting works but white-listing does not...very frustrating.

Model number: WS-C3560X-48T-S

SW Version: 12.2(58)SE2

Re: And this don't work either:

jsnyder0111 — Wed, 04 Aug 2021 17:50:21 GMT

Been a long while since you posted your quandary with the creation of a "MAC whitelist" on your Cisco equipment - the creation of which is something I am looking into also, and the technical documentation for it online is scarce. Were you ever successful in creating it? If so, what was the actual method you ended up using...? Thx