cisco hands-on experience




mac access-list and vlan access-map behavior

July 20, 2013
by Jacob
0 Comment

How to create a mac access-list and an vlan access-map

Last few days at work, we noticed on several access-switches a mac address flapping.
I don’t know how to troubleshoot and to fix it for interim arrangement purposes.


Figure 1

The syslog error message looks like this.
syslog output SW1
Jul 17 12:06:42.296: %SW_MATM-4-MACFLAP_NOTIF: Host 0007.3b01.a895 in vlan 102 is flapping between port Po1 and port Fa0/20
Jul 17 12:06:42.967: %SW_MATM-4-MACFLAP_NOTIF: Host 0007.3b01.a892 in vlan 102 is flapping between port Po1 and port Fa0/21
syslog output SW2
Jul 17 10:50:53.306: %C4K_EBM-4-HOSTFLAPPING: Host 00:07:3B:01:A8:92 in vlan 102 is flapping between port Gi3/3 and port Gi2/2
Jul 17 10:50:53.370: %C4K_EBM-4-HOSTFLAPPING: Host 00:07:3B:01:A8:95 in vlan 102 is flapping between port Gi3/3 and port Gi2/2

Current situation
On SW1 at port fa0/20 and fa0/21, there were a telephone switchboard that operate at vlan 102.
On the access-switch with the troubleport, there were a client that causes the problem.
My decision was to filter the mac address at Port gi2/2 on SW2. (only for arrangement purposes)

There are 3 ways to filter mac addresses in my case

  1. Block the mac address on a dedicated Port
  2. Block the mac address for a specific vlan for the whole switch with a vlan access-map
  3. Block the mac address for the whole switch with a static mac address drop statement

Case1
Case1
SW2#conf t
SW2(config)#mac access-list ext Block_mac
SW2(config-ext-macl)#deny host 0007.3b01.a895 any
SW2(config-ext-macl)#deny any host 0007.3b01.a895
SW2(config-ext-macl)#deny host 0007.3b01.a892 any
SW2(config-ext-macl)#deny any host 0007.3b01.a892
SW2(config-ext-macl)#permit any any
SW2(config-ext-macl)#exit
SW2(config)#exit
SW2#
.
.
.
SW2#
SW2#conf t
SW2(config)#int gi2/2
SW2(config-if)#mac access-group Block_mac in
SW2(config-if)#end
SW2#
Case2
Case2
SW2#
SW2#conf t
SW2(config)#vlan access-group Block_mac_map 10
SW2(config-access-map)#match mac address Block_mac
SW2(config-access-map)#action drop
SW2(config-access-map)#exit
SW2(config)#exit
SW2#
.
.
.
Switch#sh vlan access-map
Vlan access-map “Block_mac_map” 10
Match clauses:
mac address: Block_mac
Action:
drop
.
.
.
SW2#
SW2#conf t
SW2(config)#vlan filter Block_mac_map vlan-list 102
SW2(config)#exit
SW2#
Case3
Case3
SW2#
SW2#conf t
SW2(config)#mac address-table static 0007.3b01.a895 vlan 102
SW2(config)#mac address-table static 0007.3b01.a892 vlan 102
SW2(config)#end
SW2#

Leave a Reply

*

captcha *

Information

This site is under construction starting from now. The content will be filled up step-by-step with cisco related topics. The main menu will be enhanced from time to time. Please be patient and enjoy the blog.

Cisco Certified

 
 

Network-Archives

Network-Categories

Blog Traffic

  • Visits Today: 459
  • Total Visits: 175465
  • Total Visitors: 14
  • Total Countries: 1908

copywright © 2012 - 2016 cisco hands-on experience
Impressum