Unanswered Question
Feb 28th, 2009


we are using 3845 router in our WAN network.and each router (LAN) interface we are creat 3 to 4 subinterface. i want to block one of the Mac-address in the router,how it could be done ? through Mac-access-list i am creat Mac access ist but in LAN interface there is no command to allow mac access list?? it's possible??

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Bobby Thekkekandam Sat, 02/28/2009 - 10:45

In order to do this you will have to enable bridging on the interface to apply the access-list on. See the example below:


access-list 700 permit <48-bit hardware SOURCE address> <48-bit hardware


access-list 700 deny

access-list 700 permit 0.0.0 0.0.0 <--- Permit all


interface Ethernet0

ip access-group 700 in <--- applied inbound

Here is a sample config of what you need in the router in order to filter a mac address.

NOTE: In order to use MAC access-lists in a router you need to configure bridging. In this

case is IRB.

config t

bridge irb

bridge 1 protocol ieee

bridge 1 route ip

int e0 (or the interface you need)

no ip address

bridge-group 1

bridge-group 1 {input-address-list 700 | output-address-list 700} exit

int bvi1

ip address


access-list 700 deny 0000.0000.0000

access-list 700 permit 0000.0000.0000 ffff.ffff.ffff

Depending on what else you're doing on the interface, this may or may not be a valid solution.


This Discussion