##master-page:HomepageReadWritePageTemplate
##master-date:Unknown-Date
#format wiki
#language en
= Mac access list on vlan interface =
 * Goal to filter a specific mac on a vlan interface.
 * I had to resort to adding a IP acl, it seems cisco switches only filter on mac if the packet is non ip.

{{{
!
mac access-list extended aclMacWifiGuestBlock
 deny host d0df.9ad2.ffd4 any
 deny any host d0df.9ad2.ffd4
 permit any any
!
int Gi2/0/16
    mac access-group aclMacWifiGuestBlock in
!
!
#sh access-lists aclMacWifiGuestBlock
!
}}}
 * Below did not work.
{{{
!
mac access-list extended MacWifiGuestBlock
 permit host d0df.9ad2.ffd4 any
 permit any host d0df.9ad2.ffd4
!
!
vlan access-map vAclWifiGuest 10
 action drop
 match mac address MacWifiGuestBlock
vlan access-map vAclWifiGuest 20
 action forward
!         
vlan filter vAclWifiGuest vlan-list 131
!
}}}
 * Monitor with
   * #clear mac address-table dynamic vlan 131
   * #show mac-address-table dynamic vlan 131 | i d0df.9ad2.ffd4

...
----
CategoryCisco