Re: VLAN Mac Address Filtering

Sayyidi91 · ‎06-03-2019

Hi,

I have a scenario where I need to do MAC address filtering on the VLAN. Usually for this configuration I only can see how to block certain MAC. However on my scenario, I wanted to allow only certain MAC on the specific VLAN. I already run below config but the output is all the client tried connect through that VLAN will be block. Im using C2960-X Can anyone help me on this ?

#mac access-list extended TEST
#permit host d461.dad5.824f any

#vlan access-map TEST1 10
#action forward
#match mac address TEST
#vlan access-map TEST1 20
#action drop

#vlan filter TEST1 vlan-list 110

omz · ‎06-04-2019

Have a look at this -

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3550-series-switches/64844-mac-acl-block-arp.html

omz · ‎06-04-2019

mac access-list extended ARP_Packet
permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
!--- This blocks communication between hosts with this MAC.

!
mac access-list extended ARP_ONE_OUI
permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
!--- This blocks any ARP packet that originates from this vendor OUI.

!
mac access-list extended ARP_TWO_OUI
permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
permit 0006.5b00.0000 0000.00ff.ffff any 0x806 0x0
!--- This blocks any ARP packet that originates from these two vendor OUIs.

!
vlan access-map block_arp 10
action drop
match mac address ARP_Packet
vlan access-map block_arp 20
action forward


vlan access-map block_one_oui 10
action drop
match mac address ARP_ONE_OUI
vlan access-map block_one_oui 20
action forward


vlan access-map block_two_oui 10
action drop
match mac address ARP_TWO_OUI
vlan access-map block_two_oui 20
action forward


!
vlan filter block_two_oui vlan-list 2
!--- This applies the MAC ACL name “block_two_oui” to VLAN 2.

Sayyidi91 · ‎06-04-2019

Hi omc79,

I have read this command. All i can see is to block the MAC address. How can I allow that mac address instead of blocking it ?

omz · ‎06-04-2019

Hi

So we are talking about whitelist instead of blacklist. Why dont you use the port security feature with max number of sticky mac addresses?

Switch(config)# interface e0/2
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address 0000.02000.0004
Switch(config-if)# switchport port-security mac-address sticky

Or max secure mac addresses on vlan 110 on a interface

Switch(config-if)# switchport port-security maximum 10 vlan 110

Sayyidi91 · ‎06-05-2019

hi omc79,

I cant use port security due to thss feature will be used on Access Point wireless port which running two vlan, vlan for guest and also vlan for staff. As for staff I need to do whitelist for few MAC address. If I do port security on the port, surely all guest will be block.

thank you for your comment tho.

delasandro · ‎06-04-2019

#mac access-list extended TEST
#permit host d461.dad5.824f any

#vlan access-map TEST1 10
#action drop
#match mac address TEST
#vlan access-map TEST1 20
#action forward

#vlan filter TEST1 vlan-list 110

Sayyidi91 · ‎06-04-2019

Hi Delasandro,

This command I believe to block d461.dad5.824f mac address. I wanted to allow d461.dad5.824f mac and block others unregistered MAC.

delasandro · ‎06-04-2019

#mac access-list extended TEST

#permit host 0000.861f.3745 any *****or a host on your L2 that u want to drop****

#vlan access-map TEST1 10
#action drop
#match mac address TEST
#vlan access-map TEST1 20
#action forward

#vlan filter TEST1 vlan-list 110

host 0000.861f.3745 (your L2 macs that u want to drop) will be dropped and your d461.dad5.824f will be allowed via #vlan access-map TEST1 20

#action forward

Sayyidi91 · ‎06-16-2019

Hi Delasandro

what if I want to block all the unregistered MAC Address and only allow registered MAC address to that VLAN ?

#mac access-list extended TEST

#permit host 0000.861f.3745 any *****or a host on your L2 that u want to drop****

#vlan access-map TEST1 10
#action drop
#match mac address TEST
#vlan access-map TEST1 20
#action forward

#vlan filter TEST1 vlan-list 110

This given command state that 0000.861f.3745 this mac will be block, and other than that will be allowed.

I want allow 0000.861f.3745 this mac address and block other mac address.