05-01-2007 03:59 AM - edited 02-20-2020 09:39 PM
Hello,
I define an access-list 700 like this:
access-list 700 permit 000e.3543.2c81
to authorize only one computer to a port.
conf t
int Fa0/1
bridge-group 1 input-address-list 700
I want to apply that to a port Fa0/1 so I can not find the good way because the port never become on err-disabled if I connect another computer.
I don't know why?
Thank you for your help...
Solved! Go to Solution.
05-01-2007 10:02 AM
Can you supply the access-List commands you used?
The commands should be as follows:
mac access-list extended MAC_Allowed
permit host (MAC Address / 48-bit) any
for example:
permit host 0050.56c0.0001 any
permit host 0019.b960.bbca any
int f0/1
mac access-group MAC_Allowed in
Please Rate if this helps.
05-01-2007 05:08 AM
Why dont you use port-security, and have the port go down when another mac is seen. Might be the easier way to go.
05-01-2007 05:13 AM
I have 3 ou 4 mac-addresse to permit and deny all others. So, port-security must have one mac-address...
05-01-2007 08:04 AM
I have to agree with Jason though...why not implement port-security on the specified port which in this case f0/1.
Commands:
switchport mode access
switchport port-security
switchport port-security maximum 4
The default action is to shutdown the interface. You can change this if you type "switchport port-security violation (option)" Options being "protect", "restrict" or "shutdown". Restrict is a nice option if you do not want to shut the interface down but still block unknown addresses. I think this is what you were looking for.
What this will do is learn up to 4 (in my example) then shut the interface down if anything is outside of that list (unless you change the option). For this to effectively work, you would have to configure this on your switchport then plug in each machine (or device) to have the switch learn the MAC addresses.
Please rate if it helps.
05-01-2007 09:15 AM
Yes it's help me. But I must have the 4 computers with me. I will be easier for me if I can put the mac-address in config.
And, I still don't know how to apply an access-list 700 on a port. I found nothing in the Internet and I use the syntax command propose by CISCO but it's dosen't work.
Switch(config-if)#mac access-group 700 in
% Invalid access list name.
Switch(config-if)#
Nobody seems to understand it.
05-01-2007 10:02 AM
Can you supply the access-List commands you used?
The commands should be as follows:
mac access-list extended MAC_Allowed
permit host (MAC Address / 48-bit) any
for example:
permit host 0050.56c0.0001 any
permit host 0019.b960.bbca any
int f0/1
mac access-group MAC_Allowed in
Please Rate if this helps.
05-01-2007 10:23 AM
Thank you very much. It's working.
12-08-2021 08:03 AM
I have same issue. My ISR4300does not support port-security on switch module. I see access-list 700+ as only option. Need to make it work on interface.
10-15-2019 07:24 PM
It doesn't seem that my router will support extended access lists past 199, which is why I wound up with that same error.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: