i read the document. there is one NOTE: # NOTE: Squid can only determine the MAC address for clients that are on the same subnet. If the client is on a different subnet, then Squid cannot find out its MAC address. so the mac address from other vlan,canot be denied by arp control? -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/acl-arp-and-vlan-tp4115762p4662698.html Sent from the Squid - Users mailing list archive at Nabble.com.