Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
0
Helpful
1
Replies

VLAN Access-map MAC and IP filter dropping all traffic

kmelcher
Level 1
Level 1

‎01-11-2006 06:15 PM - edited ‎03-03-2019 11:26 AM

I have an existing VLAN access map that is working to block IP traffic and I tried to add a section to block a couple of station MAC address and it blocked everthing.

This is the existing Vlan access-map

Vlan access-map NoInet 10

Match IP Address AllLabBlock

Action Drop

Exit

Vlan access-map NoInet 20

Match IP Address NoInetAllow

Action Forward

Exit

Vlan access-map NoInet 25

Match IP Address NoInetPortBlock

Action Drop

Exit

Vlan access-map NoInet 30

Match IP Address NoInetInternalAllow

Action Forward

Exit

Vlan access-map NoInet 40

Match IP Address NoInetDeny

Action Drop

Exit

I tried to add this to the top of the list and all traffic stopped. As soon as I got to the console port and removed this everything started working again.

Vlan access-map NoInet 5

Match Mac Address MacBlock

Action Drop

Exit

I want to block these two mac address

mac access-list extended MacBlock

permit host 0050.baa7.2122 any

permit host 000c.41bf.3324 any

I thought about putting in a MAC premit any any after this section at line 6 but I was thought it would forward everything and not hit the IP sections.

Thanks,

Kerry

Labels:
0 Helpful
1 Reply 1

pkhatri
Level 11
Level 11

‎01-11-2006 07:24 PM

Hi Kerry,

Note that packets are only matched against access lists of the correct protocol type. IP packets are matched against standard or extended IP access lists. Non-IP packets are only matched against named MAC extended access lists.

Also, if the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet.

I suspect what is happening here is that the MAC ACL is also blocking things such as ARPs (which are not IP packets) which would mean that you would get very little traffic happening. The ARP is treated as a non-IP packet and denied by the MacBlock ACL.

So I feel that you really to use something like the following:

Vlan access-map NoInet 5

Match Mac Address MacBlock

Action Forward

Exit

!

mac access-list extended MacBlock

deny host 0050.baa7.2122 any

deny host 000c.41bf.3324 any

permit any any

Hope that helps.. pls rate the post if it does.

Paresh.

0 Helpful
Customers Also Viewed These Support Documents