Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

vlan filter doesn't filter L2 traffic

Calalyst 3650 (IOS 12.2(25)SEE2) as a L2 switch.

I want to block all L2 traffic between two MAC addresses.

One MAC is a IP-Phone and the other MAC is the local Voice Gateway. IP-Phone and Voice-Gateway are both in VLAN 10. Both MACs are attached via VLAN Trunks:

!

interface FastEthernet0/34

description IP-Phone

switchport access vlan 50

switchport mode access

switchport nonegotiate

switchport voice vlan 10

mls qos trust dscp

spanning-tree portfast

!

interface GigabitEthernet0/1

description Voice-Gateway

switchport trunk encapsulation dot1q

switchport trunk native vlan 10

switchport mode trunk

!

MAC addresses are taken from mac-address-table and double-checked;-)

I set up a VLAN filter as described in:

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_exampl

e09186a0080470c39.shtml

sw05(config)#mac access-list extended srst

sw05(config-ext-macl)#permit host 0090.0b08.0507 host 001a.2f80.33cd

sw05(config-ext-macl)#exit

sw05(config)#vlan access-map block-srst

sw05(config-access-map)#action drop

sw05(config-access-map)#match mac address srst

sw05(config-access-map)#exit

sw05(config)#vlan access-map block-srst 20

sw05(config-access-map)#action forward

sw05(config-access-map)#exit

sw05(config)#do sh vlan access-map

Vlan access-map "block-srst" 10

Match clauses:

mac address: srst

Action:

drop

Vlan access-map "block-srst" 20

Match clauses:

Action:

forward

sw05(config)#

sw05(config)#vlan filter block-srst vlan-list 10

sw05(config)#

But this filter doesn't work.

Do you have any ideas?

1 REPLY
New Member

Re: vlan filter doesn't filter L2 traffic

It works!

You only have to ad a second entry in the ACL and pay a little patience.

I have modified the ACL for matching both directions:

!

mac access-list extended srst

permit host 0090.0b08.0507 host 001a.2f80.33cd

permit host 001a.2f80.33cd host 0090.0b08.0507

!

You have to save the configuration (wr) and wait for approx. 5 minutes. Then it works. Clearing the mac-address-table may help...

303
Views
0
Helpful
1
Replies
CreatePlease to create content