Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

mac address filtering

I am trying to setup a mac address filter to prevent specific machines from accessing an ssid that I have setup for guest access. The config basics on my switch-

****************

mac access-list extended LocalDevices

permit host xxxx.xxxx.xxxx any

permit host yyyy.yyyy.yyyy any

!

vlan access-map NoAccess 10

action drop

match mac address LocalDevices

vlan access-map NoAccess 20

action forward

vlan filter NoAccess vlan-list 305

****************

If I then connect the network with a machine that is included in that list (xxxx.xxxx.xxxx for example), I should not be able to pass traffic through that vlan correct? Maybe I am mis-interpreting what this rule is supposed to do, or I didn't set it up correctly.

Dave

4 REPLIES
New Member

Re: mac address filtering

It looks missconfiguration opposited to.

I would configure as following.

mac access-list extended LocalDevices

permit host xxxx.xxxx.xxxx any

permit host yyyy.yyyy.yyyy any

!

vlan access-map NoAccess 10

match mac address LocalDevices

action forward

vlan filter NoAccess vlan-list 305

applied vlan will be under vlan305 and only get permittion for xxxx.xxxx.xxxx, yyyy.yyyy.yyyy. as for any mac apperently will be dropped.

is it clear ?

New Member

Re: mac address filtering

The goal is to drop all traffic from the addresses in the 'LocalDevices' acl, then allow everyone else. Is this not possible?

Dave

New Member

Re: mac address filtering

If your goal is that, your configuration is correct 100% sure.

MAC xxxx.xxxx.xxxx ,of course, can not pass through by your configuration.

source xxxx.xxxx.xxxx : deny

source yyyy.yyyy.yyyy : deny

any MAC : permit

For my config

source xxxx.xxxx.xxxx : permit

source yyyy.yyyy.yyyy : permit

any MAC : deny

New Member

Re: mac address filtering

Ok, that is what I thought that it should work and those included addresses should not be allowed to pass. So....then why are they not dropped?

I have tested this with a couple different mac addresses that are included in the list, and on the specified vlan they are allowed to pass traffic. Hmmm.....

301
Views
0
Helpful
4
Replies
CreatePlease to create content