Blocking Certain MAC Addresses

Answered Question
Aug 12th, 2007
User Badges:

Is it possible on a switch to PREVENT certain MAC addresses from connecting to a port ? I am aware that with commands such as :-

switchport port-security

switchport mode access

switchport port-security mac-address xxxx.yyyy.zzzz

switchport port-security mac-address sticky

switchport port-security maximum max

switchport port-security violation { protect | restrict | shutdown }

it is possible to allow only certain MAC addresses to connect to the port. However are there any commands which can EXCLUDE some particular MAC address, (without having to follow the above approach of defining all the allowed MAC addresses) ?

Correct Answer by JORGE RODRIGUEZ about 9 years 11 months ago

Go to this link and refere to MAC ACL,


mac access-list extended MACs-allowed

permit host xxxx.xxxx.xxxx any

int fa0/1

mac access-group MACs-allowed in

int fa0/2

mac access-group MACs-allowed in



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
ankbhasi Sun, 08/12/2007 - 07:28
User Badges:
  • Cisco Employee,

Hi Friend,

Mac Acl can be used only to restrict non ip traffic. As far as your requirement goes I believe port securty is the best option.



JORGE RODRIGUEZ Sun, 08/12/2007 - 08:48
User Badges:
  • Green, 3000 points or more

Rossua, I have to agree with this case your best bet is port security, I am not aware of a way to exclude some mac address in port security. In this case the MAC access list woul be for non-ip traffic,

e.g. bridging would be an example of applying the mac acl.


This Discussion