Blocking Certain MAC Addresses

Answered Question
Aug 12th, 2007

Is it possible on a switch to PREVENT certain MAC addresses from connecting to a port ? I am aware that with commands such as :-

switchport port-security

switchport mode access

switchport port-security mac-address xxxx.yyyy.zzzz

switchport port-security mac-address sticky

switchport port-security maximum max

switchport port-security violation { protect | restrict | shutdown }

it is possible to allow only certain MAC addresses to connect to the port. However are there any commands which can EXCLUDE some particular MAC address, (without having to follow the above approach of defining all the allowed MAC addresses) ?

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 9 years 4 months ago

Go to this link and refere to MAC ACL,


mac access-list extended MACs-allowed

permit host xxxx.xxxx.xxxx any

int fa0/1

mac access-group MACs-allowed in

int fa0/2

mac access-group MACs-allowed in



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
ankbhasi Sun, 08/12/2007 - 07:28

Hi Friend,

Mac Acl can be used only to restrict non ip traffic. As far as your requirement goes I believe port securty is the best option.



JORGE RODRIGUEZ Sun, 08/12/2007 - 08:48

Rossua, I have to agree with this case your best bet is port security, I am not aware of a way to exclude some mac address in port security. In this case the MAC access list woul be for non-ip traffic,

e.g. bridging would be an example of applying the mac acl.


This Discussion