VLAN Access-map MAC and IP filter dropping all traffic
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 06:15 PM - edited 03-03-2019 11:26 AM
I have an existing VLAN access map that is working to block IP traffic and I tried to add a section to block a couple of station MAC address and it blocked everthing.
This is the existing Vlan access-map
Vlan access-map NoInet 10
Match IP Address AllLabBlock
Action Drop
Exit
Vlan access-map NoInet 20
Match IP Address NoInetAllow
Action Forward
Exit
Vlan access-map NoInet 25
Match IP Address NoInetPortBlock
Action Drop
Exit
Vlan access-map NoInet 30
Match IP Address NoInetInternalAllow
Action Forward
Exit
Vlan access-map NoInet 40
Match IP Address NoInetDeny
Action Drop
Exit
I tried to add this to the top of the list and all traffic stopped. As soon as I got to the console port and removed this everything started working again.
Vlan access-map NoInet 5
Match Mac Address MacBlock
Action Drop
Exit
I want to block these two mac address
mac access-list extended MacBlock
permit host 0050.baa7.2122 any
permit host 000c.41bf.3324 any
I thought about putting in a MAC premit any any after this section at line 6 but I was thought it would forward everything and not hit the IP sections.
Thanks,
Kerry
- Labels:
-
LAN Switching
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-11-2006 07:24 PM
Hi Kerry,
Note that packets are only matched against access lists of the correct protocol type. IP packets are matched against standard or extended IP access lists. Non-IP packets are only matched against named MAC extended access lists.
Also, if the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet.
I suspect what is happening here is that the MAC ACL is also blocking things such as ARPs (which are not IP packets) which would mean that you would get very little traffic happening. The ARP is treated as a non-IP packet and denied by the MacBlock ACL.
So I feel that you really to use something like the following:
Vlan access-map NoInet 5
Match Mac Address MacBlock
Action Forward
Exit
!
mac access-list extended MacBlock
deny host 0050.baa7.2122 any
deny host 000c.41bf.3324 any
permit any any
Hope that helps.. pls rate the post if it does.
Paresh.
