cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6361
Views
0
Helpful
5
Replies

MAC filtering

mvsheik123
Level 7
Level 7

Hi

Iam planning to enable MAC address filtering (one port on 4510 & another 3560). I want to allow only that MAC address to communicate via that port with the rest of the network and internet.

4510 has PC connected and 3560 had polycom connected.

Does the below is sufficient or Iam missing something...

*****************************************************

4510(config)# mac access-list ext Allowmac
4510(config-ext-macl)# permit host 0000.0000.0001 any    (0000.0000.0001 : Mac of the PC)
4510(config-ext-macl)# denty any any
4510(config-ext-macl)# exit

4510(config)# int g7/40
4510(config-if)# mac access-group Allowmac in

***************************************************

Same on 3560 as well.

TIA

MS

2 Accepted Solutions

Accepted Solutions

andtoth
Level 4
Level 4

Hi,

It looks fine. Just as a side note, 'deny any any' seems to have a typo there as "denty".

For more details about MAC access-lists, refer to Configuring Named MAC Extended ACLs guide on the following link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/secure.html#wp1051626

Also note that, there's a feature called Port Security which can also limit traffic based on the configured MAC addresses and also you can specify a maximum number of MAC addresses allowed on a port.

Port security enables you to restrict the number of MAC addresses (termed secure MAC addresses) on a port, allowing you to prevent access by unauthorized MAC addresses. It also allows you to configure a maximum number of secure MAC addresses on a given port (and optionally for a VLAN for trunk ports). When a secure port exceeds the maximum, a security violation is triggered, and a violation action is performed based on the violation action mode configured on the port.

If you configure the maximum number of secure MAC addresses as 1 on the port, the device attached to the secure port is assured sole access to the port.

Configuring Port Security

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/port_sec.html

Andras

View solution in original post

vragotha
Level 3
Level 3

I believe you may want to look at Port Security unless I understood your requirement wrong

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/port_sec.html

View solution in original post

5 Replies 5

andtoth
Level 4
Level 4

Hi,

It looks fine. Just as a side note, 'deny any any' seems to have a typo there as "denty".

For more details about MAC access-lists, refer to Configuring Named MAC Extended ACLs guide on the following link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/secure.html#wp1051626

Also note that, there's a feature called Port Security which can also limit traffic based on the configured MAC addresses and also you can specify a maximum number of MAC addresses allowed on a port.

Port security enables you to restrict the number of MAC addresses (termed secure MAC addresses) on a port, allowing you to prevent access by unauthorized MAC addresses. It also allows you to configure a maximum number of secure MAC addresses on a given port (and optionally for a VLAN for trunk ports). When a secure port exceeds the maximum, a security violation is triggered, and a violation action is performed based on the violation action mode configured on the port.

If you configure the maximum number of secure MAC addresses as 1 on the port, the device attached to the secure port is assured sole access to the port.

Configuring Port Security

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/port_sec.html

Andras

vragotha
Level 3
Level 3

I believe you may want to look at Port Security unless I understood your requirement wrong

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/port_sec.html

Thanks both.. I went with port security.

Hi Experts,

I have 4506E-6L-E core switch. this core switches is connected with unmanagable hubs / Layer-2 in remote buildings. For example Buliding-1 is connected with 4506 port number gi 2/1 then i want to allow 50 MAC address on that port and rest of the MAC address should be blocked. please keep this in mind that port security with MAC limit is fine but if MAC limit will be exceeded or unknown make will be learned then port action is not good. because if my aciton will protect then unwanted users still can communicate and if my action will be shutdown then all users will be down on that port alongwith that one.

I want to restrict all users except allowed MAC address on that port / vlan while port is connected with hubs / un-managable switches.

thanks

Rizwan Haider

I think you should separate users at access layer, the ones you want to allow put them into a vlan and another group that you want to deny put them into another vlan and stop the vlan from crossing the trunk links to your core.

Hope this helps

Eugen

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: