Re: mac allow list on 2960 switch

aspilman · ‎05-14-2013

I just got this switch and I would like to setup a mac access-list of allowed addresses.

It is running 15.0(2)SE2

Here is what I have tried:

mac access-list extended ARP_Packet
permit host 0002.4bcc.df0e any
permit host 0004.7577.8139 any
permit host 0004.dd0c.12b5 any
permit host 0005.5e6a.ef01 any
permit host 0006.28b5.204e any
permit host 0007.5003.7063 any
permit host 0007.5032.667d any

vlan access-map allow_arp 10
match mac address ARP_Packet
action forward

vlan filter allow_arp vlan-list 1

(The access-list is longer then what I have included here, about 90 mac addresses.)

Every time I add the vlan filter command everything stops traversing the switch.

How can I fix this?

I have attached the entire config file.

Thanks for your help,

--Aaron

aspilman · ‎05-28-2013

Does anyone have any suggestions on how to make this work?

cadet alain · ‎05-28-2013

Hi,

This won't work because a MAC ACL can only be used to match non IP traffic( like ARP for example) but not IP traffic.

A workaround would be to use manual bindings in DHCP for these hosts and use an IPv4 ACL in your Vlan-map.

Regards

Alain

Don't forget to rate helpful posts.

aspilman · ‎05-31-2013

I am not able to move my DHCP to the switch.

I guess I am confused, I was trying to allow the ARP traffic for only those in my access control list. If they are not in the list they get blocked. If I block the ARP traffic doesn't this stop the IP traffic once the ARP table clears?