Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
965
Views
0
Helpful
6
Replies

lock vlan with mac address

anirudh.wna
Level 1
Level 1

‎10-04-2013 02:03 PM - last edited on ‎03-25-2019 04:26 PM by Community Manager

hi,

  we are using a 3750 switch. we have three vlans and we want to allow only the mac addresses of our user PCs in the respective vlans. so far we have not done this. is  there a way to import all the users' mac address at one shot as we have hundreds of users?? do i just create a mac extended  access list and apply it to an interface? please help me out. thanks.

Labels:
0 Helpful
6 Replies 6

Wilson Bonilla
Level 3
Level 3

‎10-07-2013 03:45 PM

Hi

So I understand you have 3 vlans, and you have a 3750 switchports configured as an access port, some switchport belongs to vlan x, other to vlan y and other to vlan z.

I think this configuration should work.

stack(config-if)#do sh run inter gig 2/3/4

Building configuration...

interface GigabitEthernet2/3/4

switchport

switchport mode access

switchport access vlan x

switchport port-security <=== Enables port-security

switchport port-security mac-address sticky <=== mac-address will learn only one and the first mac address through

that port.

switchport port-security violation restricted

shutdown

end

Regards.

Wilson B

0 Helpful

anirudh.wna
Level 1
Level 1
In response to Wilson Bonilla

‎10-07-2013 06:16 PM

thanks for the reply wilson. we have three vlans  configured on an l3 3750 switch which spans across six L2 2960  switches. we want to provide  access only to the respective users in their respective vlans only. we want to have a mac  access list  configured for this. is there a way to import an access list in cisco because once we create the access list, we will have to add  hundreds of users. and is it enough if the access list is applied to the trunk ports in the l3 switch?

0 Helpful

Wilson Bonilla
Level 3
Level 3
In response to anirudh.wna

‎10-07-2013 07:28 PM

Hi Aniruddha

It says: "We want to provide  access only to the respective users in their respective vlans only"

Why would you like to configure a mac access list? why don't you just configure a regular access list and deny traffic from one broadcast domain to another, and then permit everything else.

Another path is to configure private vlans, and configure as community vlans those 3 vlans configured in the layer 3 switches.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swpvlan.html

Btw I don't know of any method to import mac-addreeses.

Regards.

Wilson B.

0 Helpful

anirudh.wna
Level 1
Level 1
In response to Wilson Bonilla

‎10-07-2013 07:56 PM

i am sorry for not making myself clear. actually we do not want any of the users to connect any of their other  devices like laptops or anything else to the network. its  a security measure that we were trying to implement as  a part of the company policies.

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to anirudh.wna

‎10-08-2013 12:46 AM

Hi,

MAC ACLs won't work as they will only filter non IP traffic.

The best way to achieve what you want is to use 802.1x with a Radius server and use MAB.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/config_guide_c17-663759.html

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.
0 Helpful

anirudh.wna
Level 1
Level 1
In response to cadet alain

‎10-08-2013 06:12 AM

thanks a lot. i will surely go through  the link.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card