cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
702
Views
4
Helpful
5
Replies

MAC based access control.

shukla1975
Level 1
Level 1

Dear All,

im trying to meet some simple requirements.

1. I have a stack of 10 C3560 with 4 uplinks to my core C6500.

2. The client wants to allow predetermined list of MACs (PC) and give them roaming in any of the 10 switches.

3. Anybody else bringing personal laptops are not welcome.

4. cant add any authentication server, atleast as of now.

5. these 10 switches also have IP phones and WAPs.

have tried MAC ACLs, need to confirm what all MACs i need to allow, viz IP phones, WAP, specific switch MACs etc..

tried VACL matching a simple MAC ACL, didnt work , though working on it.

any possible solution ?

Shukla.

5 Replies 5

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Shukla,

you could consider the usage of port ACLs on the 4 uplinks on the core switches

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/vacl.html#wp1117948

Hope to help

Giuseppe

Thanks Giuseppe,

i guess my C6500 with SXF12a does not have mac ACLs, only VACL.

I guess need to try again my MAC-ACLS on C3560 and work with them, my only fear was not block any control plane MAC which are used for STP or related switch functions.

So i need to upgrade to SXH for PACLs..

will revert

Shukla.

Hi All / Giuseppe,

Can I try to give static MAC in the DHCP server in C6500 so as to reserve the DHCP pool to give IPs to only the specified MAC and not to any one else.

or , i need to map MAC to IP address statically to achieve granular control.

pls do let me know

Shukla.

Hello Shukla,

int the DHCP server you can configure reservations so that a specific client with a specific MAC address will always get the same IP address from the pool.

Actually, I can do this on a Cisco Registrar DHCP server.

I think you can do something similar on the DHCP server on the C6500 but it can require a command for each client (at least)

Hope to help

Giuseppe

Hi Giuseppe

yes, i read in the docs, we need to create a single DHCP host pool for single IP-MAC mappings, kinda tedious but fine.

i need to look into MAC-ACLs now.

thanks and appreciate all your writings.

Shukla.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco