filtering mac on switch

Unanswered Question
Jun 3rd, 2008

Hi everyone,

i have a two switches for two seperate depts,i would like to configure mac address filtering on the switch so that users cannot communicate with each other.can someone help with configuration guide.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Pravin Phadte Tue, 06/03/2008 - 03:46


Not sure but i know two ways in which this can be done.

1] access-list ranges 700-799 and 1100-1199 are reserved for MAC addresses.

it would go something like;

access-list 701 deny abcd.abcd.abcd 0000.0000.0000

access-list 701 permit 0000.0000.0000 ffff.ffff.ffff

2] Port security.

Switch)# config t

Switch(config)# int fa0/18

Switch(config-if)# switchport port-security ?

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

Switch(config-if)# switchport port-security


Hope this helps.



fherlan Tue, 06/03/2008 - 03:55


I personally think that maintaining MAC ACLs could be quite challenging.

If I understand you right, you just don't want communiction between clients on the same switch e.g. to suppress P2P applications?

In that case (and depending on your switches) "protected ports" or "privat VLANs" would also do the trick.

I am using protected ports on 2960s and I like it. :-)

Best regards


Ryan Carretta Wed, 06/04/2008 - 23:49

Why don't you just put these users into two different vlans with different IP address ranges and use an access-list? I think that is the best solution, given that they are in different departments anyhow.

MAC access-lists are not a scalable solution, and on top of that, on some platforms may just not work at all. Depending on the platform, a MAC access list will *ONLY* match traffic that is not IP or IPv6 (appletalk, DECnet, IPX, etc. etc.)


This Discussion