03-22-2016 07:02 AM - edited 03-12-2019 12:31 AM
Good morning
I am trying to figure out how to configure vlan ACL to filter mac addresses. And cannot make it work!
The goal is to block all mac-addresses inside vlan except those are permitted.
I found a great article which declares the same in the other way: block certain macs and pass all the rest.http://www.cisco.com/c/en/us/support/docs/switches/catalyst-3550-series-switches/64844-mac-acl-block-arp.html
So I made a similar confiuration for my requirements.
But this setup ain't working as I want. What I see is that all traffic inside this vlan is blocked even those hosts which are permitted.
Here's configuration:
mac access-list extended secure
permit host 0800.27a5.05c5 any
permit any host 0800.27a5.05c5
permit host 3c97.0e26.f302 any
permit any host 3c97.0e26.f302
permit host b40c.258e.e401 any
permit any host b40c.258e.e401
permit host 001a.6d55.fc42 any
permit any host 001a.6d55.fc42
deny any any
!
!
vlan access-map block_hosts 10
action forward
match mac address secure
!
vlan filter block_hosts vlan-list 505
Tried some other configurations with filters, even adding ethertypes - no way, all traffic is blocked inside vlan.
Also tried to add rhis in the end:
vlan access-map block_hosts 20
action drop
Removing 'access-list'а deny any any' - also didn't help.
If I following the doc and make some macs denied and the rest permitted — all works fine. But no for vice versa.
I have also tried adding all mac addresses belonging to all catalyst interfaces, even to CPU, but no luck either.
Could someone help?
03-22-2016 07:04 AM
Forgot to mention hardware:
Cisco IOS Software, C3750 Software (C3750-IPSERVICESK9-M), Version 12.2(55)SE10, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2015 by Cisco Systems, Inc.
Compiled Wed 11-Feb-15 11:40 by prod_rel_team
Image text-base: 0x01000000, data-base: 0x02F00000
ROM: Bootstrap program is C3750 boot loader
BOOTLDR: C3750 Boot Loader (C3750-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
I tried to use port-security to filter all mac-addresses except certain and it works fine, but it's not an option, since we have many catalyst and ports and it'l be a nightmare to maintain.
03-22-2016 07:08 AM
This configuration blocks all traffic as well:
mac access-list extended secure
permit host 0800.27a5.05c5 any
permit any host 0800.27a5.05c5
permit host 3c97.0e26.f302 any
permit any host 3c97.0e26.f302
permit host b40c.258e.e401 any
permit any host b40c.258e.e401
permit host 001a.6d55.fc42 any
permit any host 001a.6d55.fc42
!
!
mac access-list extended not-secure
permit any any
!
!
vlan access-map block_hosts 10
action forward
match mac address secure
!
!
vlan access-map block_hosts 20
action drop
match mac address not-secure
!
vlan filter block_hosts vlan-list 505
This is also blocks all traffic:
mac access-list extended not-secure
permit any any
mac access-list extended secure
permit host 0800.27a5.05c5 any
permit any host 0800.27a5.05c5
permit host 3c97.0e26.f302 any
permit any host 3c97.0e26.f302
permit host b40c.258e.e401 any
permit any host b40c.258e.e401
permit host 001a.6d55.fc42 any
permit any host 001a.6d55.fc42
ip access-list extended allow
permit ip any any
!
!
!
vlan access-map block_hosts 10
action forward
match mac address secure
match ip address allow
vlan access-map block_hosts 20
action drop
match mac address not-secure
!
vlan filter block_hosts vlan-list 505
#show access-lists
Extended IP access list allow
10 permit ip any any (323 matches)
Extended MAC access list not-secure
permit any any
Extended MAC access list secure
permit host 0800.27a5.05c5 any
permit any host 0800.27a5.05c5
permit host 3c97.0e26.f302 any
permit any host 3c97.0e26.f302
permit host b40c.258e.e401 any
permit any host b40c.258e.e401
permit host 001a.6d55.fc42 any
permit any host 001a.6d55.fc42
#show arp | i 155
Internet 192.168.155.34 0 Incomplete ARPA
Internet 192.168.155.10 - 001a.6d55.fc42 ARPA Vlan505
192.168.155.10 - local catalyst address
All is good when no vlan-list applied:
#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.155.34 5 3005.5c7c.47f4 ARPA Vlan505
Internet 192.168.155.1 2 b40c.258e.e401 ARPA Vlan505
Internet 192.168.155.10 - 001a.6d55.fc42 ARPA Vlan505
03-22-2016 07:11 AM
And this don't work either:
mac access-list extended not-secure
permit any any
mac access-list extended secure
permit host 0800.27a5.05c5 any
permit any host 0800.27a5.05c5
permit host 3c97.0e26.f302 any
permit any host 3c97.0e26.f302
permit host b40c.258e.e401 any
permit any host b40c.258e.e401
permit host 001a.6d55.fc42 any
permit any host 001a.6d55.fc42
!
vlan access-map block_hosts 10
action drop
match mac address not-secure
vlan access-map block_hosts 20
action forward
match mac address secure
match ip address allow
!
vlan filter block_hosts vlan-list 505
vlan internal allocation policy ascending
lldp run
!
!
!
ip access-list extended allow
permit ip any any
Maybe debugging would help? Don't know what to dig really
06-05-2017 02:32 PM
I am also seeing the same behavior on my 3560X....blacklisting works but white-listing does not...very frustrating.
Model number: WS-C3560X-48T-S
SW Version: 12.2(58)SE2
08-04-2021 10:50 AM
Been a long while since you posted your quandary with the creation of a "MAC whitelist" on your Cisco equipment - the creation of which is something I am looking into also, and the technical documentation for it online is scarce. Were you ever successful in creating it? If so, what was the actual method you ended up using...? Thx
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide