Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

filtering mac on switch

Hi everyone,

i have a two switches for two seperate depts,i would like to configure mac address filtering on the switch so that users cannot communicate with each other.can someone help with configuration guide.

4 REPLIES

Re: filtering mac on switch

Hi,

Not sure but i know two ways in which this can be done.

1] access-list ranges 700-799 and 1100-1199 are reserved for MAC addresses.

it would go something like;

access-list 701 deny abcd.abcd.abcd 0000.0000.0000

access-list 701 permit 0000.0000.0000 ffff.ffff.ffff

2] Port security.

Switch)# config t

Switch(config)# int fa0/18

Switch(config-if)# switchport port-security ?

aging Port-security aging commands

mac-address Secure mac address

maximum Max secure addresses

violation Security violation mode

Switch(config-if)# switchport port-security

Switch(config-if)#^Z

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_6_ea2c/configuration/guide/swgports.html#wp1043892

http://articles.techrepublic.com.com/5100-10878_11-6123047.html

Hope this helps.

Regards,

Pravin

New Member

Re: filtering mac on switch

Hello.

I personally think that maintaining MAC ACLs could be quite challenging.

If I understand you right, you just don't want communiction between clients on the same switch e.g. to suppress P2P applications?

In that case (and depending on your switches) "protected ports" or "privat VLANs" would also do the trick.

I am using protected ports on 2960s and I like it. :-)

Best regards

Frank

Bronze

Re: filtering mac on switch

I would use private VLANs. This will provide isolation for your switchports. Check out the config guide below.

Please rate if helpful

http://www.cisco.com/en/US/tech/tk389/tk814/technologies_configuration_example09186a008017acad.shtml

Re: filtering mac on switch

Why don't you just put these users into two different vlans with different IP address ranges and use an access-list? I think that is the best solution, given that they are in different departments anyhow.

MAC access-lists are not a scalable solution, and on top of that, on some platforms may just not work at all. Depending on the platform, a MAC access list will *ONLY* match traffic that is not IP or IPv6 (appletalk, DECnet, IPX, etc. etc.)

147
Views
0
Helpful
4
Replies
CreatePlease to create content