Thanks but I'd like to do it on the 2. Layer, like a MAC access-map

Hi Stipe,

Please find below link and let me know if ths is helpfull;

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/15.0SY/configuration/guide/vlan_acls.html

Regards

Inayath

*Plz rate all usefull posts.

Thanks, but I saw these before.

I would just like some sample code because I can't find it online.

I tried something myself but it didn't work.

Hello Stipe,

I hope I did not make a mistake.

MAC PC_A: aaaa.aaaa.aaaa

MAC PC_B: bbbb.bbbb.bbbb

mac access-list extended PCB

  deny host aaaa.aaaa.aaaa host bbbb.bbbb.bbbb

  deny host bbbb.bbbb.bbbb host aaaa.aaaa.aaaa

  permit host bbbb.bbbb.bbbb any

  permit any host bbbb.bbbb.bbbb

vlan access-map FILTER 1

  match mac address PCB

  action drop

vlan access-map FILTER 2

  action forward

vlan filter FILTER vlan-list 1

Best Regards

Please rate all helpful posts and close solved questions

Hi blau grana, thanks for your reply.

I tried your suggestion and it didn't work. It blocked ALL the traffic directed towards and from PC B.

After applied I couldn't access the PC B from any computer.

I double checked the MAC address so I'm certain I got nothing wrong there.

At least the switches I worked with did not support MAC ACLs for IPv4 (0800) traffic, only non IP traffic could be blocked. The reason why your VACL is blocking all traffic is because ARP packets are non-IP and are beeing dropped. MAC-ACLs are very dangerous for networks as they easily kill control plane traffic like BPDUs and LSAs.

You need to use John Blakley's approach or even better use private vlans.

Hello Stipe,

Pille is right, I completely forget that MAC ACL can be used only for non IP traffic. You have to use Vlan ACL but with IP addresses definition.

Try to use John's solution although I am not entirely sure if ACL 101 is correct.

Best Regards

Please rate all helpful posts and close solved questions

Hi guys,

thanks for the replies.

I tried the IP ACL and they did work but weren't completely satisfactory in a sense that my device is still available on pure layer 2 (network scanner could easily find it) so I just added the following to the end of my MAC ACL.

0x806 0x0

and it worked.

As I read on the Internet this should block the ARP Packets so I guess IP ACL aren't necessary after blocking ARP packets right?

 I guess IP ACL aren't necessary after blocking ARP packets right?

teoretically yes, but if you block ARP packets hosts will not be able to find out MAC of some host. Lets say that someone will statically configure ARP - IP address binding, than host can communicate with each other with no problem.

I think you should deny communication with ACL as John in his first post suggested.

Best Regards

Please rate all helpful posts and close solved questions

As I read on the Internet this should block the ARP Packets so I guess IP ACL aren't necessary after blocking ARP packets right?

No. There are other ways of filling the arp table, like reading unicast flooded packets, DHCP requests or manual IP-MAC bindings. If you are fearful of layer2 attacks use your own subnet or private vlans.