When it comes to VLAN access-maps, they should accomplish what you are trying to do when you apply them. Its when you make changes, you HAVE to remove and reapply them.
Its default behavior.
On Sep 10, 2010, at 1:57 AM, Chris Grammer wrote:
> Thanks for the help!
> And, I will let you know the results of the testing.
>
> Chris
>
> On Thu, Sep 9, 2010 at 11:57 PM, Garth Bryden <
> hacked.the.planet.on.28.8k.dialup_at_gmail.com> wrote:
>
>> I agreee with Kubilay.
>>
>> MAC ACL's will only affect non-ip traffic :-)
>>
>> On Fri, Sep 10, 2010 at 12:45 PM, Kubilay Akgul <kubilayakgul_at_gmail.com>wrote:
>>
>>> Hi Chris,
>>>
>>> As far as I remember, MAC access-lists are only used to filter non-IP
>>> traffic like ARP.
>>> In your example, when you shut the interface, routers will clear their ARP
>>> tables. And when you enable it again and try to create traffic, the MAC
>>> access list will block all new ARP requests. So you thought that your ACL
>>> worked after a shut/no-shut.
>>> But, actually it only blocked the ARP packets. To test it, after shut and
>>> no-shut, create manual ARP entries on routers. They probably start to
>>> communicate again and you will see that your MAC filter is not working for
>>> IP traffic. :)
>>>
>>> Another way of testing can be clearing ARP tables on routers without a
>>> shut/no shut operation. Since MAC ACL will again block the ARP request,
>>> your
>>> ACL will again seem to be working (but just because it blocked arps).
>>>
>>> Please share your result to see if I am right.
>>>
>>> Thanks.
>>>
>>>
>>>
>>> -----Original Message-----
>>> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
>>> Chris Grammer
>>> Sent: Thursday, September 09, 2010 14:50
>>> To: Cisco certification
>>> Subject: MAC Filter 3560
>>>
>>> I have run into an interesting issue.
>>>
>>> If I create a MAC filter such as:
>>>
>>> mac access-list extended BLOCK3
>>> deny host 0012.d993.d5c2 any
>>> permit any any
>>>
>>> I apply the access-list to the fa1/0/1 interface of the switch:
>>>
>>> interface FastEthernet1/0/1
>>> switchport access vlan 40
>>> switchport mode access
>>> mac access-group BLOCK3 in
>>>
>>>
>>> The problem is, the access list will not block the MAC address unless I
>>> shut/no shut the interface.
>>> If I apply the MAC access-list to a vlan access-map it exhibits the same
>>> behavior.
>>> If I apply an IP access list to the interface or access-map, the change is
>>> immediate.
>>>
>>> Is this normal behavior for a layer 2 access-list on a switch?
>>>
>>> Thanks,
>>>
>>> Chris
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>>>
>>>
>>> Blogs and organic groups at http://www.ccie.net
>>>
>>> _______________________________________________________________________
>>> Subscription information may be found at:
>>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Fri Sep 10 2010 - 08:14:42 ART
This archive was generated by hypermail 2.2.0 : Fri Oct 01 2010 - 05:58:05 ART