Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

deny Layer 2 traffic

Dear Cisco-ers,

I've been asked to deny any unauthorized Layer 2 traffic at my office. So, if any unlisted MAC Address is accessing our traffic.

I do this on the switch level right? Now I'm confused about the method i'm using. Should I use switchport security? (i've presented this to my boss and he said it's not effective). what is effective switchport security...

OR should I use Mac address access-list?

Please enlight


Hall of Fame Super Blue

Re: deny Layer 2 traffic


Well that is a bit of an open ended request.

You could use port-security and manually code each port with the relevant mac-address but this is an admin nightmare.

You could look into mac-address authentication using a radius server so you then just need to keep a list of allowed mac-addresses on your network. Easier than first but still a large admin overhead.

You could go the whole hog and do user based dot1x authentication on the switches so only authenticated users can get onto the network.

What exactly is your boss worried about ?


New Member

Re: deny Layer 2 traffic

well, my IT Manager is worried about various guests from my big-director carrying their own notebooks and he's afraid the guests are accessing to our company's data and all.

So, what do you suggest? dot1x or Radius? and what do I require to obtain those needs?

well, i've predicted this is some kind of a complicated work, but.. as long as I get paid, right :)

Hall of Fame Super Blue

Re: deny Layer 2 traffic


Well if you are worried about guest connecting in their own laptops to your network then you will need to look at 802.1x authentication, whether it be mac-address authentication or user based authentication.

You will need a radius server, cisco version is the ACS server but Microsoft also comes with a free one called IAS.

What switches do you have ? You can search on Cisco site with the switch type and 802.1x

eg "3550 configuration 802.1x" and this sould bring up some docs that will get you started.



New Member

Re: deny Layer 2 traffic

Well, I used the ol' 2950, which I believe don't come along with 802.1x

so, the point is if I dont use a 802.1x capabled switch, I can't use 802.1x feature?

I have a Linksys SRW224P and it includes a 802.1x. can i use it? is it compatible with Cisco switches?

Re: deny Layer 2 traffic

To implement 802.1x you will need 802.1x compatible switches.

I've played with 802.1x authentication on a wired Lan and there are a few other things you will need to check.

First off all clients must be Win 2k or XP or you will need to obtain additional software to get them to authenticate.

Mac OS X and most Linux distributions support 802.1x but are not easy to configure.

Microsoft IAS is fine, but if you want the authentication to be secure, you will need to use TLS and install a certificate on your radius server and put in place mechanisms to get that cert trusted on your clients.

You might suggest policy and educating your users is a more cost effective and efficient solution.

Write a network policy that forbids the use of non business equipment on the business network and then get it signed off by the director and enforce it.

New Member

Re: deny Layer 2 traffic


I want to implement the same solution

MAC address authentication via Microsoft IAS

Do you have any document to help me in this configuration ?



Cisco Employee

Re: deny Layer 2 traffic

What is the IOS and exact model number of 2950's you are using. Paste the " show version " from the 2950.

-amit singh

New Member

Re: deny Layer 2 traffic

Sorry wrong version its 2924:

Cisco Internetwork Operating System Software

IOS (tm) C2900XL Software (C2900XL-C3H2S-M), Version 12.0(5)WC10, RELEASE SOFTWARE (fc1)

cisco WS-C2924M-XL (PowerPC403GA) processor (revision 0x11) with 8192K/1024K bytes of memory.

what is Radius server? and am I building the server like the usual Windows 2003 server?