vlan filter doesn't filter L2 traffic

Unanswered Question
May 4th, 2008

Calalyst 3650 (IOS 12.2(25)SEE2) as a L2 switch.

I want to block all L2 traffic between two MAC addresses.

One MAC is a IP-Phone and the other MAC is the local Voice Gateway. IP-Phone and Voice-Gateway are both in VLAN 10. Both MACs are attached via VLAN Trunks:


interface FastEthernet0/34

description IP-Phone

switchport access vlan 50

switchport mode access

switchport nonegotiate

switchport voice vlan 10

mls qos trust dscp

spanning-tree portfast


interface GigabitEthernet0/1

description Voice-Gateway

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport mode trunk


MAC addresses are taken from mac-address-table and double-checked;-)

I set up a VLAN filter as described in:



sw05(config)#mac access-list extended srst

sw05(config-ext-macl)#permit host 0090.0b08.0507 host 001a.2f80.33cd


sw05(config)#vlan access-map block-srst

sw05(config-access-map)#action drop

sw05(config-access-map)#match mac address srst


sw05(config)#vlan access-map block-srst 20

sw05(config-access-map)#action forward


sw05(config)#do sh vlan access-map

Vlan access-map "block-srst" 10

Match clauses:

mac address: srst



Vlan access-map "block-srst" 20

Match clauses:




sw05(config)#vlan filter block-srst vlan-list 10


But this filter doesn't work.

Do you have any ideas?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
pwellmann Sun, 05/04/2008 - 13:12

It works!

You only have to ad a second entry in the ACL and pay a little patience.

I have modified the ACL for matching both directions:


mac access-list extended srst

permit host 0090.0b08.0507 host 001a.2f80.33cd

permit host 001a.2f80.33cd host 0090.0b08.0507


You have to save the configuration (wr) and wait for approx. 5 minutes. Then it works. Clearing the mac-address-table may help...


This Discussion