Re: limit access to vlan with mac access-list not working

acleri · ‎07-13-2009

I try to limit the access to my switches using a mac access-list that allow only certain mac to do ARP and assign this filter to a particular vlan.

I setup it as follow:

*************************

mac access-list extended Allowed-mac

permit host 0002.b305.7bab any 0x806 0x0

permit host 001a.4b86.6fad any 0x806 0x0

vlan access-map forward-arp 10

action forward

match mac address CMB-Allowed-mac

vlan access-map forward-arp 20

action drop

vlan filter forward-arp vlan-list 50

************************

Once I apply the filter to the vlan50 ALL clients on this vlan are not able to communicate, so it seems that the permitted host are not allowed.

Any idea where I'm wrong?

THANK YOU

acleri · ‎07-13-2009

the correct running configuration is the following:

*************

mac access-list extended Allowed-mac

permit host 0002.b305.7bab any 0x806 0x0

permit host 001a.4b86.6fad any 0x806 0x0

vlan access-map forward-arp 10

action forward

match mac address Allowed-mac

vlan access-map forward-arp 20

action drop

vlan filter forward-arp vlan-list 50

**************************

acleri · ‎07-13-2009

This post could be not clear, I still have the problem, but the running configuration is not the first I post but the second.

Thank you.

acleri · ‎07-13-2009

Solved with an access list applied on each port as follow:

**************

mac access-list extended Allowed-mac

permit host 0002.b305.7bab any

permit host 001a.4b86.6fad any

!

interface FastEthernet0/1

switchport access vlan 50

switchport mode access

mac access-group Allowed-mac in

spanning-tree portfast

******************