I need to block a specific mac address from our LAN. I put in place the vlan filter below, but it seems that I got it wrong, as the mac still popps up after clearing the arp cache. Any suggestions on where I went wrong?
mac access-list extended USER1
permit host b8ac.6f6a.5e5c any
mac access-list extended log
vlan access-map BLOCK_USER1 10
match mac address USER1 log
vlan access-map BLOCK_USER1 20
vlan filter BLOCK_USER1 vlan-list 999
Your configuration looks good. Can you please check and make sure that the ARP entry is showing up in the correct VLAN? Also, have you cleared the ARP after configuring the VLAN access map?
Thanks for the response. I cleared the arp cache after applying the filter to the vlan. The mac address popped up the next day in the vlan. This is an access switch so there is only the one vlan on it.
VACL's will stop the switch from seeing the MAC address. DHCP, ARP, etc will not be looked at by VACL's. VACL's only work on intervlan L2 traffic and not on L3 traffic so it will not totally block all access. I think dot1x security might be something for this but I am not that familiar with that to know.
Can you change your MAC acl as below:
Switch(config)#mac access-list extended ARP_Packet
Switch(config-ext-nacl)#permit host 0000.861f.3745 any 0x806 0x0
Switch(config-ext-nacl)#permit any host 0000.861f.3745 0x806 0x0
Hope this helps.
Here's a setup in my lab and it worked just fine. Lab setup is with a 3560/24, a 2611XM in ports fa0/1 & fa0/2 one the switch. Once I cleared the arp on the routers I could not ping between them.
mac access-list extended map1
permit host 0014.f2ef.6140 any
vlan access-map map1 10
match mac address map1
vlan filter map1 vlan-list 10
Remove this statement ( vlan access-map BLOCK_USER1 20
action forward ) !!!! The command was what negated the initial command ( vlan access-map BLOCK_USER1 10
action drop ) because the second access-map command has higher sequence number (20) and its action is forward
After doing that , clear your arp , it will work.