MAC access list question

Answered Question
Nov 29th, 2006
User Badges:

In my scenario, I want to disable a computer from accessing to my network by applying MAC access list in my 3550 switch.


SO, I created an MAC access list by issuing the following commands:


switch(config)#mac access-list extended test

switch (config-ext-macl)#deny host 0003.9988.CDA0 any


So in this step I want to attach this access list to a VLAN. So I issued the following:


switch(config)#vlan access-map test-1

switch(config-access-map)#action dro

switch(config-access-map)#match mac address test

switch(config-access-map)#exit

switch(config)#vlan filter test-1 vlan-list 115

switch(config)#end

switch#write


P.S My testing system is in the VLAN 115.


When I did all the above steps, but that system can access my network actually.


Please help. How can I disable this system from accessing to my network?


Thanks


Correct Answer by royalblues about 10 years 8 months ago

Hi Friend,


THe permit statement is required to match the access-list. Once the entry is matched it is sent through the Access-map statement where it will get dropped according to the action defined.


HTH, rate if it does

Narayan

your access list is used to match traffic to drop, so you need to permit host 0003.9988.CDA0 rather than deny it. I'd do it like this:


switch(config)#mac access-list extended test

switch (config-ext-macl)#permit host 0003.9988.CDA0 any


switch(config)#vlan access-map test-1 10

switch(config-access-map)#action dro

switch(config-access-map)#match mac address test

switch(config-access-map)#exit

switch(config)#vlan access-map test-1 20

switch(config-access-map)#action forward

switch(config-access-map)#exit


switch(config)#vlan filter test-1 vlan-list 115

switch(config)#end

switch#write

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer

your access list is used to match traffic to drop, so you need to permit host 0003.9988.CDA0 rather than deny it. I'd do it like this:


switch(config)#mac access-list extended test

switch (config-ext-macl)#permit host 0003.9988.CDA0 any


switch(config)#vlan access-map test-1 10

switch(config-access-map)#action dro

switch(config-access-map)#match mac address test

switch(config-access-map)#exit

switch(config)#vlan access-map test-1 20

switch(config-access-map)#action forward

switch(config-access-map)#exit


switch(config)#vlan filter test-1 vlan-list 115

switch(config)#end

switch#write

rezaalikhani Wed, 11/29/2006 - 22:34
User Badges:

I must disable this computer, so I must use the permit command? Why?


Thanks

Correct Answer
royalblues Wed, 11/29/2006 - 23:20
User Badges:
  • Green, 3000 points or more

Hi Friend,


THe permit statement is required to match the access-list. Once the entry is matched it is sent through the Access-map statement where it will get dropped according to the action defined.


HTH, rate if it does

Narayan

Do not trust those above advices, even ccie ones :) MAC ACLs DO NOT FILTER, NOR SELECT IPv4 traffic. They affect non-IP traffic only, for example, ARP traffic. So, if your users are smart enough to configure static ARP statements, such as "arp -s ", they should be able to go outside the local segment.


HT really H


rezaalikhani Thu, 11/30/2006 - 08:07
User Badges:

This morning I tested all above advices, but non of them worked!!

ankbhasi Thu, 11/30/2006 - 08:49
User Badges:
  • Cisco Employee,

Hi Friend,


MAC ACLs only work for non ip traffic so implementing this will not work and not a solution for your problem.


You can try this command and update if this works for you


Switch(config)# mac-address-table static vlan drop


This will block all traffic to or from the configured MAC address in the specified VLAN.


Switch(config)# no mac-address-table static vlan


This will clear MAC address-based blocking.


HTH


Ankur


*Pls rate all helpfull post

Actions

This Discussion