Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VLAN Access-map MAC and IP filter dropping all traffic

I have an existing VLAN access map that is working to block IP traffic and I tried to add a section to block a couple of station MAC address and it blocked everthing.

This is the existing Vlan access-map

Vlan access-map NoInet 10

Match IP Address AllLabBlock

Action Drop

Exit

Vlan access-map NoInet 20

Match IP Address NoInetAllow

Action Forward

Exit

Vlan access-map NoInet 25

Match IP Address NoInetPortBlock

Action Drop

Exit

Vlan access-map NoInet 30

Match IP Address NoInetInternalAllow

Action Forward

Exit

Vlan access-map NoInet 40

Match IP Address NoInetDeny

Action Drop

Exit

I tried to add this to the top of the list and all traffic stopped. As soon as I got to the console port and removed this everything started working again.

Vlan access-map NoInet 5

Match Mac Address MacBlock

Action Drop

Exit

I want to block these two mac address

mac access-list extended MacBlock

permit host 0050.baa7.2122 any

permit host 000c.41bf.3324 any

I thought about putting in a MAC premit any any after this section at line 6 but I was thought it would forward everything and not hit the IP sections.

Thanks,

Kerry

1 REPLY
Purple

Re: VLAN Access-map MAC and IP filter dropping all traffic

Hi Kerry,

Note that packets are only matched against access lists of the correct protocol type. IP packets are matched against standard or extended IP access lists. Non-IP packets are only matched against named MAC extended access lists.

Also, if the VLAN map has at least one match clause for the type of packet (IP or MAC) and the packet does not match any of these match clauses, the default is to drop the packet. If there is no match clause for that type of packet in the VLAN map, the default is to forward the packet.

I suspect what is happening here is that the MAC ACL is also blocking things such as ARPs (which are not IP packets) which would mean that you would get very little traffic happening. The ARP is treated as a non-IP packet and denied by the MacBlock ACL.

So I feel that you really to use something like the following:

Vlan access-map NoInet 5

Match Mac Address MacBlock

Action Forward

Exit

!

mac access-list extended MacBlock

deny host 0050.baa7.2122 any

deny host 000c.41bf.3324 any

permit any any

Hope that helps.. pls rate the post if it does.

Paresh.

307
Views
0
Helpful
1
Replies
CreatePlease login to create content