11-29-2006 09:27 AM - edited 03-05-2019 01:05 PM
In my scenario, I want to disable a computer from accessing to my network by applying MAC access list in my 3550 switch.
SO, I created an MAC access list by issuing the following commands:
switch(config)#mac access-list extended test
switch (config-ext-macl)#deny host 0003.9988.CDA0 any
So in this step I want to attach this access list to a VLAN. So I issued the following:
switch(config)#vlan access-map test-1
switch(config-access-map)#action dro
switch(config-access-map)#match mac address test
switch(config-access-map)#exit
switch(config)#vlan filter test-1 vlan-list 115
switch(config)#end
switch#write
P.S My testing system is in the VLAN 115.
When I did all the above steps, but that system can access my network actually.
Please help. How can I disable this system from accessing to my network?
Thanks
Solved! Go to Solution.
11-29-2006 11:05 AM
your access list is used to match traffic to drop, so you need to permit host 0003.9988.CDA0 rather than deny it. I'd do it like this:
switch(config)#mac access-list extended test
switch (config-ext-macl)#permit host 0003.9988.CDA0 any
switch(config)#vlan access-map test-1 10
switch(config-access-map)#action dro
switch(config-access-map)#match mac address test
switch(config-access-map)#exit
switch(config)#vlan access-map test-1 20
switch(config-access-map)#action forward
switch(config-access-map)#exit
switch(config)#vlan filter test-1 vlan-list 115
switch(config)#end
switch#write
11-29-2006 11:20 PM
Hi Friend,
THe permit statement is required to match the access-list. Once the entry is matched it is sent through the Access-map statement where it will get dropped according to the action defined.
HTH, rate if it does
Narayan
11-29-2006 11:05 AM
your access list is used to match traffic to drop, so you need to permit host 0003.9988.CDA0 rather than deny it. I'd do it like this:
switch(config)#mac access-list extended test
switch (config-ext-macl)#permit host 0003.9988.CDA0 any
switch(config)#vlan access-map test-1 10
switch(config-access-map)#action dro
switch(config-access-map)#match mac address test
switch(config-access-map)#exit
switch(config)#vlan access-map test-1 20
switch(config-access-map)#action forward
switch(config-access-map)#exit
switch(config)#vlan filter test-1 vlan-list 115
switch(config)#end
switch#write
11-29-2006 10:34 PM
I must disable this computer, so I must use the permit command? Why?
Thanks
11-29-2006 11:20 PM
Hi Friend,
THe permit statement is required to match the access-list. Once the entry is matched it is sent through the Access-map statement where it will get dropped according to the action defined.
HTH, rate if it does
Narayan
11-30-2006 07:08 AM
Do not trust those above advices, even ccie ones :) MAC ACLs DO NOT FILTER, NOR SELECT IPv4 traffic. They affect non-IP traffic only, for example, ARP traffic. So, if your users are smart enough to configure static ARP statements, such as "arp -s
HT really H
11-29-2006 11:22 AM
MAC ACLs do not apply to IP traffic. Only non-IP traffic is affected by the MAC ACL.
Try to use "mac address-table static ... drop" or some other technology instead.
11-30-2006 08:07 AM
This morning I tested all above advices, but non of them worked!!
11-30-2006 08:49 AM
Hi Friend,
MAC ACLs only work for non ip traffic so implementing this will not work and not a solution for your problem.
You can try this command and update if this works for you
Switch(config)# mac-address-table static
This will block all traffic to or from the configured MAC address in the specified VLAN.
Switch(config)# no mac-address-table static
This will clear MAC address-based blocking.
HTH
Ankur
*Pls rate all helpfull post
12-01-2006 06:06 AM
Your suggestion solved my problem. Thanks a lot Ankur.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: