Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Mac id based restriction in Layer 3 switch?

Hi,

I have a Cisco 3560 layer 3 switch where I have 5 VLAN's. I have edge switches placed for each vlan for connecting the computers/laptops. A DHCP server in one of the vlan servs a dynamic IP if a user connects a laptop/computer to one of the port in the layer 2 edge switch.

My requirement is to restrict any outside user with a laptop from entering our network by just plugging a cable to the L2 edge switch.

Is it possible to say a rule in L3 switch giving access for computers/laptops whose mac-id's are already defined in the L3? If so, how do I do it?

Thanks for any response,

- Ribin

6 REPLIES
New Member

Re: Mac id based restriction in Layer 3 switch?

You have to know all the allowed mac-addresses..then you can do an ACL or port security to filter out unwanted MAC adresses.

New Member

Re: Mac id based restriction in Layer 3 switch?

Hi,

Yes..I have all the mac-id's list. How can I do it? Can you guide me with the config?

Note:- The computers/laptops will not be connected directly to the Layer 3 switch , it will be connected to a layer 2 switch which comes under the Layer 3 switch. Will this be a problem?

- Ribin

New Member

Re: Mac id based restriction in Layer 3 switch?

Doesn't matter, you will do the filtering on your switches, specifically on the ports on question.  If its all of them, create the ACL and issue the int range xxxx to apply that access-group on all your ports.

This should do it IF you know all the mac addresses that you want to allow:

sw(config)# mac access-list extended MAC_ADDRESS
sw(config-ext-macl)# permit host any
sw(config-ext-macl)# permit host any
sw(config-ext-macl)# permit host any

sw(config-ext-macl)# permit host any
sw(config-ext-macl)# exit
sw(config)# int g1/0/40
sw(config-if)# mac access-group MAC_ADDRESS in


From here:  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html#wp1289037

"After receiving a packet, the switch checks it  against the inbound ACL. If the ACL permits it, the switch continues to  process the packet. If the ACL rejects the packet, the switch discards  it. When you apply an undefined ACL to an interface, the switch acts as  if the ACL has not been applied and permits all packets. Remember this  behavior if you use undefined ACLs for network security."

New Member

Re: Mac id based restriction in Layer 3 switch?

Thanks, i will give it a try.

In the config you provided,

sw(config)# mac access-list extended MAC_ADDRESS

you have used the acl name as "MAC_ADDRESS", but

sw(config)# int g1/0/40
sw(config-if)# mac access-group filtermac in

I guess it is "MAC_ADDRESS" and not filtermac. Am I right?

- Ribin

New Member

Re: Mac id based restriction in Layer 3 switch?

You are correct.  I edited my post to not confuse anyone.

New Member

Re: Mac id based restriction in Layer 3 switch?

Thanks

- Ribin

429
Views
0
Helpful
6
Replies
CreatePlease to create content