Access-list 700

Answered Question
May 1st, 2007

Hello,

I define an access-list 700 like this:

access-list 700 permit 000e.3543.2c81

to authorize only one computer to a port.

conf t

int Fa0/1

bridge-group 1 input-address-list 700

I want to apply that to a port Fa0/1 so I can not find the good way because the port never become on err-disabled if I connect another computer.

I don't know why?

Thank you for your help...

Correct Answer by med_ddevlin about 9 years 9 months ago

Can you supply the access-List commands you used?

The commands should be as follows:

mac access-list extended MAC_Allowed

permit host (MAC Address / 48-bit) any

for example:

permit host 0050.56c0.0001 any

permit host 0019.b960.bbca any

int f0/1

mac access-group MAC_Allowed in

Please Rate if this helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
jbeltrame Tue, 05/01/2007 - 05:08

Why dont you use port-security, and have the port go down when another mac is seen. Might be the easier way to go.

claude1968 Tue, 05/01/2007 - 05:13

I have 3 ou 4 mac-addresse to permit and deny all others. So, port-security must have one mac-address...

med_ddevlin Tue, 05/01/2007 - 08:04

I have to agree with Jason though...why not implement port-security on the specified port which in this case f0/1.

Commands:

switchport mode access

switchport port-security

switchport port-security maximum 4

The default action is to shutdown the interface. You can change this if you type "switchport port-security violation (option)" Options being "protect", "restrict" or "shutdown". Restrict is a nice option if you do not want to shut the interface down but still block unknown addresses. I think this is what you were looking for.

What this will do is learn up to 4 (in my example) then shut the interface down if anything is outside of that list (unless you change the option). For this to effectively work, you would have to configure this on your switchport then plug in each machine (or device) to have the switch learn the MAC addresses.

Please rate if it helps.

claude1968 Tue, 05/01/2007 - 09:15

Yes it's help me. But I must have the 4 computers with me. I will be easier for me if I can put the mac-address in config.

And, I still don't know how to apply an access-list 700 on a port. I found nothing in the Internet and I use the syntax command propose by CISCO but it's dosen't work.

Switch(config-if)#mac access-group 700 in

% Invalid access list name.

Switch(config-if)#

Nobody seems to understand it.

Correct Answer
med_ddevlin Tue, 05/01/2007 - 10:02

Can you supply the access-List commands you used?

The commands should be as follows:

mac access-list extended MAC_Allowed

permit host (MAC Address / 48-bit) any

for example:

permit host 0050.56c0.0001 any

permit host 0019.b960.bbca any

int f0/1

mac access-group MAC_Allowed in

Please Rate if this helps.

Actions

This Discussion