How can i create MAC base ACL in cisco router 2800 &1800

Unanswered Question
Sep 16th, 2010
User Badges:


I want to create mac base ACl for all  users and laptop . So that I can restrict unauthorized user or laptop. MY current scenario is like :---

wireless user/Laptop ------> Access point------->Poe switch (L2)-------> WLC (wireless LAN controller )-------->Radius server ------------>AD------------> LAN

In above scenario unauthorized user can access Internet or can get some access through static IP. So i am planning to implement following because i have Cisco 2800 and Cisco 1800 router  and also due lack of budget.

wireless user/Laptop ------> Access point------->PoE switch (L2)------->Cisco router (with MAC base ACL)--------> WLC-------->Radius server ------------>AD------------> LAN

Please suggest me to resolve this issue.

Thanks & Regards,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
sujitkr7cisco Sat, 09/25/2010 - 11:34
User Badges:


Sorry for late reply.

I am not able to access link , which is send by you.

Please send me another link.

gatlin007 Sat, 09/25/2010 - 13:40
User Badges:
  • Silver, 250 points or more

This may be hardware/feature set/IOS dependant.


access-list (standard-ibm)

To establish a MAC address access list, use the access-list command in global configuration mode. To remove access list, use the no form of this command.

access-list access-list-number {permit | deny} address mask

no access-list access-list-number

Syntax Description


Integer from 700 to 799 that you select for the list.


Permits the frame.


Denies the frame.

address mask

48-bit MAC addresses written as a dotted triple of four-digit hexadecimal numbers. The ones bits in the mask argument are the bits to be ignored in address.


No MAC address access lists are established.

Command Modes

Global configuration

Command History



This command was introduced.


This command was integrated into Cisco IOS Release 12.2(33)SRA.


This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Configuring bridging access lists of type 700 may cause a momentary interruption of traffic flow.


The following example assumes that you want to disallow the bridging of  Ethernet packets of all Sun workstations on Ethernet interface 1.  Software assumes that all such hosts have Ethernet addresses with the  vendor code 0800.2000.0000. The first line of the access list denies  access to all Sun workstations, and the second line permits everything  else. You then assign the access list to the input side of Ethernet  interface 1.

access-list 700 deny 0800.2000.0000 0000.00FF.FFFF
access-list 700 permit 0000.0000.0000 FFFF.FFFF.FFFF
interface ethernet 1
 bridge-group 1 input-address-list 700

Related Commands


access-list (type-code-ibm)

Builds type-code access lists.


This Discussion