In order to configure MAC address filtering and apply it to the VLAN interface, you must complete several steps. First, you create the VLAN access maps for each type of traffic that requires filtering. You select a MAC address or range of MAC addresses for blocking. You also need to identify the ARP traffic in the access list. According to RFC 826 , an ARP frame uses the Ethernet protocol type of value 0x806. You can filter on this protocol type as interesting traffic for the access list.
In global configuration mode, create a named MAC extended access list with the name ARP_Packet.
Issue the mac access-list extended ACL_name command and add the host MAC address or addresses that you want to block.
Switch(config)#mac access-list extended ARP_Packet
Switch(config-ext-nacl)#permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
Switch(config-ext-nacl)#end
Switch(config)#Issue the vlan access-map map_ name command and the action drop command, which is the action to perform.
The vlan access-map map_ name command uses the MAC access list that you created to block ARP traffic from the hosts.
Switch(config)#vlan access-map block_arp 10
Switch (config-access-map)#action drop
Switch (config-access-map)#match mac address ARP_Packet
Add an additional line to the same VLAN access map in order to forward the rest of the traffic.
Switch(config)#vlan access-map block_arp 20
Switch (config-access-map)#action forward
Choose a VLAN access map and apply it to a VLAN interface.
Issue the VLAN filter vlan_access_map_name vlan-list vlan_number command.
Switch(config)#vlan filter block_arp vlan-list 2