MAC filtering

Answered Question
Oct 28th, 2010

Hi

Iam planning to enable MAC address filtering (one port on 4510 & another 3560). I want to allow only that MAC address to communicate via that port with the rest of the network and internet.

4510 has PC connected and 3560 had polycom connected.

Does the below is sufficient or Iam missing something...

*****************************************************

4510(config)# mac access-list ext Allowmac
4510(config-ext-macl)# permit host 0000.0000.0001 any    (0000.0000.0001 : Mac of the PC)
4510(config-ext-macl)# denty any any
4510(config-ext-macl)# exit

4510(config)# int g7/40
4510(config-if)# mac access-group Allowmac in

***************************************************

Same on 3560 as well.

TIA

MS

I have this problem too.
0 votes
Correct Answer by vragotha about 3 years 5 months ago

I believe you may want to look at Port Security unless I understood your requirement wrong

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/port_sec.html

Correct Answer by andtoth about 3 years 5 months ago

Hi,

It looks fine. Just as a side note, 'deny any any' seems to have a typo there as "denty".

For more details about MAC access-lists, refer to Configuring Named MAC Extended ACLs guide on the following link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/secure.html#wp1051626

Also note that, there's a feature called Port Security which can also limit traffic based on the configured MAC addresses and also you can specify a maximum number of MAC addresses allowed on a port.

Port security enables you to restrict the number of MAC addresses (termed secure MAC addresses) on a port, allowing you to prevent access by unauthorized MAC addresses. It also allows you to configure a maximum number of secure MAC addresses on a given port (and optionally for a VLAN for trunk ports). When a secure port exceeds the maximum, a security violation is triggered, and a violation action is performed based on the violation action mode configured on the port.

If you configure the maximum number of secure MAC addresses as 1 on the port, the device attached to the secure port is assured sole access to the port.

Configuring Port Security

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/port_sec.html

Andras

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
Correct Answer
andtoth Thu, 10/28/2010 - 13:59

Hi,

It looks fine. Just as a side note, 'deny any any' seems to have a typo there as "denty".

For more details about MAC access-lists, refer to Configuring Named MAC Extended ACLs guide on the following link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/secure.html#wp1051626

Also note that, there's a feature called Port Security which can also limit traffic based on the configured MAC addresses and also you can specify a maximum number of MAC addresses allowed on a port.

Port security enables you to restrict the number of MAC addresses (termed secure MAC addresses) on a port, allowing you to prevent access by unauthorized MAC addresses. It also allows you to configure a maximum number of secure MAC addresses on a given port (and optionally for a VLAN for trunk ports). When a secure port exceeds the maximum, a security violation is triggered, and a violation action is performed based on the violation action mode configured on the port.

If you configure the maximum number of secure MAC addresses as 1 on the port, the device attached to the secure port is assured sole access to the port.

Configuring Port Security

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/port_sec.html

Andras

haider.rizwan Thu, 02/02/2012 - 21:33

Hi Experts,

I have 4506E-6L-E core switch. this core switches is connected with unmanagable hubs / Layer-2 in remote buildings. For example Buliding-1 is connected with 4506 port number gi 2/1 then i want to allow 50 MAC address on that port and rest of the MAC address should be blocked. please keep this in mind that port security with MAC limit is fine but if MAC limit will be exceeded or unknown make will be learned then port action is not good. because if my aciton will protect then unwanted users still can communicate and if my action will be shutdown then all users will be down on that port alongwith that one.

I want to restrict all users except allowed MAC address on that port / vlan while port is connected with hubs / un-managable switches.

thanks

Rizwan Haider

ebarticel Thu, 02/02/2012 - 22:16

I think you should separate users at access layer, the ones you want to allow put them into a vlan and another group that you want to deny put them into another vlan and stop the vlan from crossing the trunk links to your core.

Hope this helps

Eugen

Actions

Login or Register to take actions

This Discussion

Posted October 28, 2010 at 1:36 PM
Stats:
Replies:5 Avg. Rating:5
Views:577 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 15,012
2 8,155
3 7,745
4 7,088
5 6,752
Rank Username Points
115
89
88
74
38