limit access to vlan with mac access-list not working

Unanswered Question
Jul 13th, 2009
User Badges:

I try to limit the access to my switches using a mac access-list that allow only certain mac to do ARP and assign this filter to a particular vlan.

I setup it as follow:


*************************

mac access-list extended Allowed-mac

permit host 0002.b305.7bab any 0x806 0x0

permit host 001a.4b86.6fad any 0x806 0x0


vlan access-map forward-arp 10

action forward

match mac address CMB-Allowed-mac

vlan access-map forward-arp 20

action drop


vlan filter forward-arp vlan-list 50


************************


Once I apply the filter to the vlan50 ALL clients on this vlan are not able to communicate, so it seems that the permitted host are not allowed.


Any idea where I'm wrong?


THANK YOU


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
acleri Mon, 07/13/2009 - 01:54
User Badges:

the correct running configuration is the following:


*************


mac access-list extended Allowed-mac

permit host 0002.b305.7bab any 0x806 0x0

permit host 001a.4b86.6fad any 0x806 0x0


vlan access-map forward-arp 10

action forward

match mac address Allowed-mac

vlan access-map forward-arp 20

action drop


vlan filter forward-arp vlan-list 50


**************************






acleri Mon, 07/13/2009 - 01:58
User Badges:

This post could be not clear, I still have the problem, but the running configuration is not the first I post but the second.

Thank you.

acleri Mon, 07/13/2009 - 22:07
User Badges:

Solved with an access list applied on each port as follow:


**************


mac access-list extended Allowed-mac

permit host 0002.b305.7bab any

permit host 001a.4b86.6fad any

!

!

interface FastEthernet0/1

switchport access vlan 50

switchport mode access

mac access-group Allowed-mac in

spanning-tree portfast



******************

Actions

This Discussion