vlan filter ?

Unanswered Question
Jul 21st, 2008
User Badges:

I have a router connected to a 3550 switch. The router is in vlan 55. I want to limit communication on vlan 55 to the mac addresses of the routers E0 int (0000.0c0a.38c4) and the mac address of the switch (000d.29ce.0180).


I have the following config:


mac access-list extended R1_mac

permit host 000d.29ce.0180 host 0000.0c0a.38c4

permit host 0000.0c0a.38c4 host 000d.29ce.0180

permit any host ffff.ffff.ffff


vlan access-map restrict_vlan55_0000.0c0a.38c4 10

action forward

match mac address R1_mac

vlan access-map restrict_vlan55_0000.0c0a.38c4 20

action drop


vlan filter restrict_vlan55_0000.0c0a.38c4 vlan-list 55


When I attempt to ping from the switch to the router interface I get timed out.

If I remove the vlan filter pings are good.

I have monitored the switch port connected to vlan 55 and can see my ARP request getting a response. I can also see the echo request and reply packets. However the vlan filter still appears to be blocking the ICMP response packet.


Any ideas ?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
srue Mon, 07/21/2008 - 07:44
User Badges:
  • Blue, 1500 points or more

mac extended acl's are only for non-ip traffic.

"Use the mac access-list extended global configuration command to create an access list based on MAC addresses for non-IP traffic."

use a normal ip ext. acl.

Actions

This Discussion