Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

MAC access list question

In my scenario, I want to disable a computer from accessing to my network by applying MAC access list in my 3550 switch.

SO, I created an MAC access list by issuing the following commands:

switch(config)#mac access-list extended test

switch (config-ext-macl)#deny host 0003.9988.CDA0 any

So in this step I want to attach this access list to a VLAN. So I issued the following:

switch(config)#vlan access-map test-1

switch(config-access-map)#action dro

switch(config-access-map)#match mac address test

switch(config-access-map)#exit

switch(config)#vlan filter test-1 vlan-list 115

switch(config)#end

switch#write

P.S My testing system is in the VLAN 115.

When I did all the above steps, but that system can access my network actually.

Please help. How can I disable this system from accessing to my network?

Thanks

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: MAC access list question

your access list is used to match traffic to drop, so you need to permit host 0003.9988.CDA0 rather than deny it. I'd do it like this:

switch(config)#mac access-list extended test

switch (config-ext-macl)#permit host 0003.9988.CDA0 any

switch(config)#vlan access-map test-1 10

switch(config-access-map)#action dro

switch(config-access-map)#match mac address test

switch(config-access-map)#exit

switch(config)#vlan access-map test-1 20

switch(config-access-map)#action forward

switch(config-access-map)#exit

switch(config)#vlan filter test-1 vlan-list 115

switch(config)#end

switch#write

Re: MAC access list question

Hi Friend,

THe permit statement is required to match the access-list. Once the entry is matched it is sent through the Access-map statement where it will get dropped according to the action defined.

HTH, rate if it does

Narayan

8 REPLIES
New Member

Re: MAC access list question

your access list is used to match traffic to drop, so you need to permit host 0003.9988.CDA0 rather than deny it. I'd do it like this:

switch(config)#mac access-list extended test

switch (config-ext-macl)#permit host 0003.9988.CDA0 any

switch(config)#vlan access-map test-1 10

switch(config-access-map)#action dro

switch(config-access-map)#match mac address test

switch(config-access-map)#exit

switch(config)#vlan access-map test-1 20

switch(config-access-map)#action forward

switch(config-access-map)#exit

switch(config)#vlan filter test-1 vlan-list 115

switch(config)#end

switch#write

New Member

Re: MAC access list question

I must disable this computer, so I must use the permit command? Why?

Thanks

Re: MAC access list question

Hi Friend,

THe permit statement is required to match the access-list. Once the entry is matched it is sent through the Access-map statement where it will get dropped according to the action defined.

HTH, rate if it does

Narayan

ovt Bronze
Bronze

Re: MAC access list question

Do not trust those above advices, even ccie ones :) MAC ACLs DO NOT FILTER, NOR SELECT IPv4 traffic. They affect non-IP traffic only, for example, ARP traffic. So, if your users are smart enough to configure static ARP statements, such as "arp -s ", they should be able to go outside the local segment.

HT really H

ovt Bronze
Bronze

Re: MAC access list question

MAC ACLs do not apply to IP traffic. Only non-IP traffic is affected by the MAC ACL.

Try to use "mac address-table static ... drop" or some other technology instead.

New Member

Re: MAC access list question

This morning I tested all above advices, but non of them worked!!

Cisco Employee

Re: MAC access list question

Hi Friend,

MAC ACLs only work for non ip traffic so implementing this will not work and not a solution for your problem.

You can try this command and update if this works for you

Switch(config)# mac-address-table static vlan drop

This will block all traffic to or from the configured MAC address in the specified VLAN.

Switch(config)# no mac-address-table static vlan

This will clear MAC address-based blocking.

HTH

Ankur

*Pls rate all helpfull post

New Member

Re: MAC access list question

Your suggestion solved my problem. Thanks a lot Ankur.

306
Views
10
Helpful
8
Replies
CreatePlease to create content