cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3519
Views
5
Helpful
7
Replies

Blocking a mac address with a vlan-access map not working

poirot1967
Level 1
Level 1

I need to block a specific mac address from our LAN.  I put in place the vlan filter below, but it seems that I got it wrong, as the mac still popps up after clearing the arp cache.  Any suggestions on where I went wrong?

mac access-list extended USER1
permit host b8ac.6f6a.5e5c any
mac access-list extended log


vlan access-map BLOCK_USER1 10
action drop
match mac address USER1 log

vlan access-map BLOCK_USER1 20
action forward

vlan filter BLOCK_USER1 vlan-list 999

Thanks

Poirot

7 Replies 7

Nagaraja Thanthry
Cisco Employee
Cisco Employee

Hello,

Your configuration looks good. Can you please check and make sure that the ARP entry is showing up in the correct VLAN? Also, have you cleared the ARP after configuring the VLAN access map?

Regards,

NT

Thanks for the response.  I cleared the arp cache after applying the filter to the vlan.  The mac address popped up the next day in the vlan.  This is an access switch so there is only the one vlan on it.

Thanks

Poirot

Poirot,

VACL's will stop the switch from seeing the MAC address. DHCP, ARP, etc will not be looked at by VACL's. VACL's only work on intervlan L2 traffic and not on L3 traffic so it will not totally block all access. I think dot1x security might be something for this but I am not that familiar with that to know.

Mike

Hello,

Can you change your MAC acl as below:

permit any 0x806 0

Example:

Switch(config)#mac access-list extended ARP_Packet
Switch(config-ext-nacl)#permit host 0000.861f.3745 any 0x806 0x0
Switch(config-ext-nacl)#permit any host 0000.861f.3745 0x806 0x0
Switch(config-ext-nacl)#end

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Hope this helps.

Regards,

NT

mbroberson1
Level 3
Level 3

Hi Poirot,

Here's a setup in my lab and it worked just fine. Lab setup is with a 3560/24, a 2611XM in ports fa0/1 & fa0/2 one the switch. Once I cleared the arp on the routers I could not ping between them.

mac access-list extended map1
permit host 0014.f2ef.6140 any
!
!
vlan access-map map1 10
action drop
match mac address map1
vlan filter map1 vlan-list 10

HTH,

Brandon

micvicsan
Level 1
Level 1
The command " vlan access-map BLOCK_USER1 20
action forward " !!!!!! will negate the first one " vlan access-map BLOCK_USER1 10
action drop" because it has the higher sequence number . Remove this command " vlan access-map BLOCK_USER1 20
action forward " it will work.

micvicsan
Level 1
Level 1

Dear Poirot,

 

Remove this statement ( vlan access-map BLOCK_USER1 20
action forward ) !!!! The command was what negated the initial command ( vlan access-map BLOCK_USER1 10
action drop )  because the second access-map command  has higher sequence number (20) and its action is forward

After doing that , clear your arp , it will work.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco