In a network, you can block Address Resolution Protocol (ARP) request
packets to restrict user access. In some network scenarios, you want to block
ARP packets based, not on the IP address, but on the Layer 2 MAC addresses.�You
can accomplish this type of restriction if you create MAC address access
control lists (ACLs) and VLAN access maps and apply them to a VLAN
This document discusses the configuration for a Cisco Catalyst 3550
Series Switch. You can use any Catalyst 2970, 3560, or 3750 Series Switch in
this scenario in order to obtain the same results. The document demonstrates
how to configure a MAC ACL to block communication among devices within a
VLAN.�You can block a single host or a range of hosts, based on the host
network interface card (NIC) adapter manufacturer. You can block a range of
hosts if you disallow ARP packets that originate from these devices based on
the IEEE Organizational Unique Identifier (OUI) and company_id assignments.�
OUI and Company_id Assignments
in order to determine IEEE OUI and
The information in this document is based on the Cisco Catalyst 3550
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Other switches that support the commands in this configuration
Refer to the
Technical Tips Conventions for more information on document
In this section, you are presented with the information to configure
the features described in this document.
In order to configure MAC address filtering and apply it to the VLAN
interface, you must complete several steps. First, you create the VLAN access
maps for each type of traffic that requires filtering. You select a MAC address
or range of MAC addresses for blocking. You also need to identify the ARP
traffic in the access list. According to
ARP frame uses the Ethernet protocol type of value 0x806. You can filter on
this protocol type as interesting traffic for the access list.
In global configuration mode, create a named MAC extended access
list with the name ARP_Packet.
access-list extended ACL_name
command and add the host MAC address or addresses that you want to
Switch(config)#mac access-list extended ARP_Packet
Switch(config-ext-nacl)#permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
access-map map_ name
the action drop command, which is the action to
The vlan access-map map_
command uses the MAC access list that you
created to block ARP traffic from the hosts.
Switch(config)#vlan access-map block_arp 10
Switch (config-access-map)#action drop
Switch (config-access-map)#match mac address ARP_Packet
Add an additional line to the same VLAN access map in order to
forward the rest of the traffic.
Switch(config)#vlan access-map block_arp 20
Switch (config-access-map)#action forward
Choose a VLAN access map and apply it to a VLAN
Issue the VLAN filter
Switch(config)#vlan filter block_arp vlan-list 2
This sample configuration creates three MAC access lists and three VLAN
access maps. The configuration applies the third VLAN access map to VLAN
mac access-list extended ARP_Packet
permit host 0000.861f.3745 host 0006.5bd8.8c2f 0x806 0x0
!--- This blocks communication between hosts with this MAC.
mac access-list extended ARP_ONE_OUI
permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
!--- This blocks any ARP packet that originates from this vendor OUI.
mac access-list extended ARP_TWO_OUI
permit 0000.8600.0000 0000.00ff.ffff any 0x806 0x0
permit 0006.5b00.0000 0000.00ff.ffff any 0x806 0x0
!--- This blocks any ARP packet that originates from these two vendor OUIs.
vlan access-map block_arp 10
match mac address ARP_Packet
vlan access-map block_arp 20
vlan access-map block_one_oui 10
match mac address ARP_ONE_OUI
vlan access-map block_one_oui 20
vlan access-map block_two_oui 10
match mac address ARP_TWO_OUI
vlan access-map block_two_oui 20
vlan filter block_two_oui vlan-list 2
!--- This applies the MAC ACL name “block_two_oui” to VLAN 2.
Use this section to confirm that your configuration works
You can verify if the switch has learned the MAC address or ARP entry
before you apply the MAC ACL. Issue the
command, as this example shows.
Output Interpreter Tool
(registered customers only)
(OIT) supports certain
show commands. Use the OIT to view an analysis of
show command output.
switch#show mac-address-table dynamic vlan 2
������ ����Mac Address Table
Vlan��� Mac Address������ Type������� Ports
----��� -----------������ --------��� -----
��� 2��� 0000.861f.3745��� DYNAMIC���� Fa0/21
��� 2��� 0006.5bd8.8c2f��� DYNAMIC���� Fa0/22
Total Mac Addresses for this criterion: 2
switch#show ip arp
Protocol� Address��������� Age (min)� Hardware Addr�� Type�� Interface
Internet� 10.1.1.2�������������� 26�� 0000.861f.3745� ARPA�� Vlan2
Internet� 10.1.1.3�������������� 21�� 0006.5bd8.8c2f� ARPA�� Vlan2
Internet� 10.1.1.1��������������� -�� 000d.65b6.9700� ARPA�� Vlan2
There is currently no specific troubleshooting information available
for this configuration.