mac address filtering

Unanswered Question
Jun 25th, 2007

I am trying to setup a mac address filter to prevent specific machines from accessing an ssid that I have setup for guest access. The config basics on my switch-

****************

mac access-list extended LocalDevices

permit host xxxx.xxxx.xxxx any

permit host yyyy.yyyy.yyyy any

!

vlan access-map NoAccess 10

action drop

match mac address LocalDevices

vlan access-map NoAccess 20

action forward

vlan filter NoAccess vlan-list 305

****************

If I then connect the network with a machine that is included in that list (xxxx.xxxx.xxxx for example), I should not be able to pass traffic through that vlan correct? Maybe I am mis-interpreting what this rule is supposed to do, or I didn't set it up correctly.

Dave

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
criss_noh Tue, 06/26/2007 - 22:51

It looks missconfiguration opposited to.

I would configure as following.

mac access-list extended LocalDevices

permit host xxxx.xxxx.xxxx any

permit host yyyy.yyyy.yyyy any

!

vlan access-map NoAccess 10

match mac address LocalDevices

action forward

vlan filter NoAccess vlan-list 305

applied vlan will be under vlan305 and only get permittion for xxxx.xxxx.xxxx, yyyy.yyyy.yyyy. as for any mac apperently will be dropped.

is it clear ?

dsturgeon Wed, 06/27/2007 - 03:28

The goal is to drop all traffic from the addresses in the 'LocalDevices' acl, then allow everyone else. Is this not possible?

Dave

criss_noh Wed, 06/27/2007 - 17:11

If your goal is that, your configuration is correct 100% sure.

MAC xxxx.xxxx.xxxx ,of course, can not pass through by your configuration.

source xxxx.xxxx.xxxx : deny

source yyyy.yyyy.yyyy : deny

any MAC : permit

For my config

source xxxx.xxxx.xxxx : permit

source yyyy.yyyy.yyyy : permit

any MAC : deny

dsturgeon Thu, 06/28/2007 - 02:02

Ok, that is what I thought that it should work and those included addresses should not be allowed to pass. So....then why are they not dropped?

I have tested this with a couple different mac addresses that are included in the list, and on the specified vlan they are allowed to pass traffic. Hmmm.....

Actions

This Discussion