Solved: MAC access list question

rezaalikhani · ‎11-29-2006

In my scenario, I want to disable a computer from accessing to my network by applying MAC access list in my 3550 switch.

SO, I created an MAC access list by issuing the following commands:

switch(config)#mac access-list extended test

switch (config-ext-macl)#deny host 0003.9988.CDA0 any

So in this step I want to attach this access list to a VLAN. So I issued the following:

switch(config)#vlan access-map test-1

switch(config-access-map)#action dro

switch(config-access-map)#match mac address test

switch(config-access-map)#exit

switch(config)#vlan filter test-1 vlan-list 115

switch(config)#end

switch#write

P.S My testing system is in the VLAN 115.

When I did all the above steps, but that system can access my network actually.

Please help. How can I disable this system from accessing to my network?

Thanks

bhooker · ‎11-29-2006

your access list is used to match traffic to drop, so you need to permit host 0003.9988.CDA0 rather than deny it. I'd do it like this:

switch(config)#mac access-list extended test

switch (config-ext-macl)#permit host 0003.9988.CDA0 any

switch(config)#vlan access-map test-1 10

switch(config-access-map)#action dro

switch(config-access-map)#match mac address test

switch(config-access-map)#exit

switch(config)#vlan access-map test-1 20

switch(config-access-map)#action forward

switch(config-access-map)#exit

switch(config)#vlan filter test-1 vlan-list 115

switch(config)#end

switch#write

View solution in original post

royalblues · ‎11-29-2006

Hi Friend,

THe permit statement is required to match the access-list. Once the entry is matched it is sent through the Access-map statement where it will get dropped according to the action defined.

HTH, rate if it does

Narayan

View solution in original post

bhooker · ‎11-29-2006

your access list is used to match traffic to drop, so you need to permit host 0003.9988.CDA0 rather than deny it. I'd do it like this:

switch(config)#mac access-list extended test

switch (config-ext-macl)#permit host 0003.9988.CDA0 any

switch(config)#vlan access-map test-1 10

switch(config-access-map)#action dro

switch(config-access-map)#match mac address test

switch(config-access-map)#exit

switch(config)#vlan access-map test-1 20

switch(config-access-map)#action forward

switch(config-access-map)#exit

switch(config)#vlan filter test-1 vlan-list 115

switch(config)#end

switch#write

rezaalikhani · ‎11-29-2006

I must disable this computer, so I must use the permit command? Why?

Thanks

royalblues · ‎11-29-2006

Hi Friend,

THe permit statement is required to match the access-list. Once the entry is matched it is sent through the Access-map statement where it will get dropped according to the action defined.

HTH, rate if it does

Narayan

ovt · ‎11-30-2006

Do not trust those above advices, even ccie ones :) MAC ACLs DO NOT FILTER, NOR SELECT IPv4 traffic. They affect non-IP traffic only, for example, ARP traffic. So, if your users are smart enough to configure static ARP statements, such as "arp -s ", they should be able to go outside the local segment.

HT really H

ovt · ‎11-29-2006

MAC ACLs do not apply to IP traffic. Only non-IP traffic is affected by the MAC ACL.

Try to use "mac address-table static ... drop" or some other technology instead.

rezaalikhani · ‎11-30-2006

This morning I tested all above advices, but non of them worked!!

ankbhasi · ‎11-30-2006

Hi Friend,

MAC ACLs only work for non ip traffic so implementing this will not work and not a solution for your problem.

You can try this command and update if this works for you

Switch(config)# mac-address-table static vlan drop

This will block all traffic to or from the configured MAC address in the specified VLAN.

Switch(config)# no mac-address-table static vlan

This will clear MAC address-based blocking.

HTH

Ankur

*Pls rate all helpfull post

rezaalikhani · ‎12-01-2006

Your suggestion solved my problem. Thanks a lot Ankur.