Blocking a mac address with a vlan-access map not working

Unanswered Question
Aug 5th, 2010

I need to block a specific mac address from our LAN.  I put in place the vlan filter below, but it seems that I got it wrong, as the mac still popps up after clearing the arp cache.  Any suggestions on where I went wrong?

mac access-list extended USER1
permit host b8ac.6f6a.5e5c any
mac access-list extended log

vlan access-map BLOCK_USER1 10
action drop
match mac address USER1 log

vlan access-map BLOCK_USER1 20
action forward

vlan filter BLOCK_USER1 vlan-list 999



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Nagaraja Thanthry Thu, 08/05/2010 - 16:03


Your configuration looks good. Can you please check and make sure that the ARP entry is showing up in the correct VLAN? Also, have you cleared the ARP after configuring the VLAN access map?



poirot1967 Fri, 08/06/2010 - 04:38

Thanks for the response.  I cleared the arp cache after applying the filter to the vlan.  The mac address popped up the next day in the vlan.  This is an access switch so there is only the one vlan on it.



burleyman Fri, 08/06/2010 - 09:30


VACL's will stop the switch from seeing the MAC address. DHCP, ARP, etc will not be looked at by VACL's. VACL's only work on intervlan L2 traffic and not on L3 traffic so it will not totally block all access. I think dot1x security might be something for this but I am not that familiar with that to know.


Nagaraja Thanthry Fri, 08/06/2010 - 11:13


Can you change your MAC acl as below:

permit any 0x806 0


Switch(config)#mac access-list extended ARP_Packet
Switch(config-ext-nacl)#permit host 0000.861f.3745 any 0x806 0x0
Switch(config-ext-nacl)#permit any host 0000.861f.3745 0x806 0x0

Hope this helps.



mbroberson1 Fri, 08/06/2010 - 19:49

Hi Poirot,

Here's a setup in my lab and it worked just fine. Lab setup is with a 3560/24, a 2611XM in ports fa0/1 & fa0/2 one the switch. Once I cleared the arp on the routers I could not ping between them.

mac access-list extended map1
permit host 0014.f2ef.6140 any
vlan access-map map1 10
action drop
match mac address map1
vlan filter map1 vlan-list 10




This Discussion