mac address filtering

Unanswered Question
Jun 25th, 2007
User Badges:

I am trying to setup a mac address filter to prevent specific machines from accessing an ssid that I have setup for guest access. The config basics on my switch-

****************

mac access-list extended LocalDevices

permit host xxxx.xxxx.xxxx any

permit host yyyy.yyyy.yyyy any

!

vlan access-map NoAccess 10

action drop

match mac address LocalDevices

vlan access-map NoAccess 20

action forward


vlan filter NoAccess vlan-list 305

****************


If I then connect the network with a machine that is included in that list (xxxx.xxxx.xxxx for example), I should not be able to pass traffic through that vlan correct? Maybe I am mis-interpreting what this rule is supposed to do, or I didn't set it up correctly.


Dave

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
criss_noh Tue, 06/26/2007 - 22:51
User Badges:

It looks missconfiguration opposited to.

I would configure as following.


mac access-list extended LocalDevices

permit host xxxx.xxxx.xxxx any

permit host yyyy.yyyy.yyyy any

!

vlan access-map NoAccess 10

match mac address LocalDevices

action forward


vlan filter NoAccess vlan-list 305


applied vlan will be under vlan305 and only get permittion for xxxx.xxxx.xxxx, yyyy.yyyy.yyyy. as for any mac apperently will be dropped.


is it clear ?

dsturgeon Wed, 06/27/2007 - 03:28
User Badges:

The goal is to drop all traffic from the addresses in the 'LocalDevices' acl, then allow everyone else. Is this not possible?


Dave

criss_noh Wed, 06/27/2007 - 17:11
User Badges:

If your goal is that, your configuration is correct 100% sure.

MAC xxxx.xxxx.xxxx ,of course, can not pass through by your configuration.


source xxxx.xxxx.xxxx : deny

source yyyy.yyyy.yyyy : deny

any MAC : permit


For my config

source xxxx.xxxx.xxxx : permit

source yyyy.yyyy.yyyy : permit

any MAC : deny



dsturgeon Thu, 06/28/2007 - 02:02
User Badges:

Ok, that is what I thought that it should work and those included addresses should not be allowed to pass. So....then why are they not dropped?


I have tested this with a couple different mac addresses that are included in the list, and on the specified vlan they are allowed to pass traffic. Hmmm.....

Actions

This Discussion