Mac Access List --Nexus 7k

sameermunj · ‎07-10-2012

Hello Team Need your input on the problem faced below regarding Mac access list issue in nexus 7k Setup Details=== End users terminated on catalyst 3750 switches. Each stack of cat 3750 switches is connected to both the core switches which are Nexus 7010 (Rel 5.1)...HSRP is running between both the core switches. For around 50 Vlans Nexus1 is primary Switch while for remaining 50 Vlans Nexus2 is secondary Switch Requirement=== We want to deny access for one of the Mac address in the network in a way that machine with this Mac address should not get IP address from DHCP server irrespective of the location within the network Current configuration done in both Nexus Switches.... switch# configure terminal switch(config)# mac access-list MAC_Deny switch(config-mac-acl)# permit 0032.ae61.8421 0000.0000.0000 any switch(config-mac-acl)# exit switch# configure terminal switch(config)# mac access-list Allow-all switch(config-mac-acl)# permit any any switch(config-mac-acl)# exit switch# configure terminal switch(config)# vlan access-map MAC_Block 10 switch(config-access-map)# match mac address MAC_Deny switch(config-access-map)# action drop switch(config-access-map)# exit switch# configure terminal switch(config)# vlan access-map MAC_Block 20 switch(config-access-map)# match mac address Allow-all switch(config-access-map)# action forward switch(config-access-map)# exit switch# configure terminal switch(config)# vlan filter MAC_Block vlan-list 15 Current result===== User is with this specific MAC address able to get IP address from Dhcp Expected Result====== User should not get network access (IP from DHCP)

sameermunj · ‎07-11-2012

Hello Team

Need your input on the problem faced below regarding Mac access list issue in nexus 7k

======================================================================

Setup Details

End users terminated on catalyst 3750 switches. Each stack of cat 3750 switches is connected to both the core switches which are Nexus 7010 (Rel 5.1)...HSRP is running between both the core switches. For around 50 Vlans Nexus1 is primary Switch while for remaining 50 Vlans Nexus2 is secondary Switch

==================================================================

Requirement

We want to deny access for one of the Mac address in the network in a way that machine with this Mac address should not get IP address from DHCP server irrespective of the location within the network

==================================================================

Current configuration done in both Nexus Switches....

switch# configure terminal

switch(config)# mac access-list MAC_Deny

switch(config-mac-acl)# permit 0032.ae61.8421 0000.0000.0000 any

switch(config-mac-acl)# exit

switch# configure terminal

switch(config)# mac access-list Allow-all

switch(config-mac-acl)# permit any any

switch(config-mac-acl)# exit

switch# configure terminal

switch(config)# vlan access-map MAC_Block 10

switch(config-access-map)# match mac address MAC_Deny

switch(config-access-map)# action drop

switch(config-access-map)# exit

switch# configure terminal

switch(config)# vlan access-map MAC_Block 20

switch(config-access-map)# match mac address Allow-all

switch(config-access-map)# action forward

switch(config-access-map)# exit

switch# configure terminal

switch(config)# vlan filter MAC_Block vlan-list 15

===================================================================

Current result=====

User is with this specific MAC address able to get IP address from Dhcp

===================================================================

Expected Result======

User should not get network access (IP from DHCP)

===================================================================