08-05-2010 01:20 PM - edited 03-06-2019 12:20 PM
I need to block a specific mac address from our LAN. I put in place the vlan filter below, but it seems that I got it wrong, as the mac still popps up after clearing the arp cache. Any suggestions on where I went wrong?
mac access-list extended USER1
permit host b8ac.6f6a.5e5c any
mac access-list extended log
vlan access-map BLOCK_USER1 10
action drop
match mac address USER1 log
vlan access-map BLOCK_USER1 20
action forward
vlan filter BLOCK_USER1 vlan-list 999
Thanks
Poirot
08-05-2010 04:03 PM
Hello,
Your configuration looks good. Can you please check and make sure that the ARP entry is showing up in the correct VLAN? Also, have you cleared the ARP after configuring the VLAN access map?
Regards,
NT
08-06-2010 04:38 AM
Thanks for the response. I cleared the arp cache after applying the filter to the vlan. The mac address popped up the next day in the vlan. This is an access switch so there is only the one vlan on it.
Thanks
Poirot
08-06-2010 09:30 AM
Poirot,
VACL's will stop the switch from seeing the MAC address. DHCP, ARP, etc will not be looked at by VACL's. VACL's only work on intervlan L2 traffic and not on L3 traffic so it will not totally block all access. I think dot1x security might be something for this but I am not that familiar with that to know.
Mike
08-06-2010 11:13 AM
Hello,
Can you change your MAC acl as below:
permit
Example:
Switch(config)#mac access-list extended ARP_Packet
Switch(config-ext-nacl)#permit host 0000.861f.3745 any 0x806 0x0Switch(config-ext-nacl)#permit any host 0000.861f.3745 0x806 0x0
Switch(config-ext-nacl)#end
http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml
Hope this helps.
Regards,
NT
08-06-2010 07:49 PM
Hi Poirot,
Here's a setup in my lab and it worked just fine. Lab setup is with a 3560/24, a 2611XM in ports fa0/1 & fa0/2 one the switch. Once I cleared the arp on the routers I could not ping between them.
mac access-list extended map1
permit host 0014.f2ef.6140 any
!
!
vlan access-map map1 10
action drop
match mac address map1
vlan filter map1 vlan-list 10
HTH,
Brandon
05-21-2019 02:23 PM
05-21-2019 02:31 PM
Dear Poirot,
Remove this statement ( vlan access-map BLOCK_USER1 20
action forward ) !!!! The command was what negated the initial command ( vlan access-map BLOCK_USER1 10
action drop ) because the second access-map command has higher sequence number (20) and its action is forward
After doing that , clear your arp , it will work.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide