Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
606
Views
0
Helpful
6
Replies

Mac id based restriction in Layer 3 switch?

ribin.jones
Level 1
Level 1

‎10-11-2010 09:43 AM - edited ‎03-06-2019 01:26 PM

Hi,

I have a Cisco 3560 layer 3 switch where I have 5 VLAN's. I have edge switches placed for each vlan for connecting the computers/laptops. A DHCP server in one of the vlan servs a dynamic IP if a user connects a laptop/computer to one of the port in the layer 2 edge switch.

My requirement is to restrict any outside user with a laptop from entering our network by just plugging a cable to the L2 edge switch.

Is it possible to say a rule in L3 switch giving access for computers/laptops whose mac-id's are already defined in the L3? If so, how do I do it?

Thanks for any response,

- Ribin

Labels:
0 Helpful
6 Replies 6

the-lebowski
Level 4
Level 4

‎10-11-2010 09:57 AM

You have to know all the allowed mac-addresses..then you can do an ACL or port security to filter out unwanted MAC adresses.

0 Helpful

ribin.jones
Level 1
Level 1
In response to the-lebowski

‎10-11-2010 10:05 AM

Hi,

Yes..I have all the mac-id's list. How can I do it? Can you guide me with the config?

Note:- The computers/laptops will not be connected directly to the Layer 3 switch , it will be connected to a layer 2 switch which comes under the Layer 3 switch. Will this be a problem?

- Ribin

0 Helpful

the-lebowski
Level 4
Level 4
In response to ribin.jones

‎10-11-2010 10:21 AM

Doesn't matter, you will do the filtering on your switches, specifically on the ports on question.  If its all of them, create the ACL and issue the int range xxxx to apply that access-group on all your ports.

This should do it IF you know all the mac addresses that you want to allow:

sw(config)# mac access-list extended MAC_ADDRESS
sw(config-ext-macl)# permit host any
sw(config-ext-macl)# permit host any
sw(config-ext-macl)# permit host any

sw(config-ext-macl)# permit host any
sw(config-ext-macl)# exit
sw(config)# int g1/0/40
sw(config-if)# mac access-group MAC_ADDRESS in


From here:  http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_25_see/configuration/guide/swacl.html#wp1289037

"After receiving a packet, the switch checks it  against the inbound ACL. If the ACL permits it, the switch continues to  process the packet. If the ACL rejects the packet, the switch discards  it. When you apply an undefined ACL to an interface, the switch acts as  if the ACL has not been applied and permits all packets. Remember this  behavior if you use undefined ACLs for network security."

0 Helpful

ribin.jones
Level 1
Level 1

‎10-11-2010 10:29 AM

Thanks, i will give it a try.

In the config you provided,

sw(config)# mac access-list extended MAC_ADDRESS

you have used the acl name as "MAC_ADDRESS", but

sw(config)# int g1/0/40
sw(config-if)# mac access-group filtermac in

I guess it is "MAC_ADDRESS" and not filtermac. Am I right?

- Ribin

0 Helpful

the-lebowski
Level 4
Level 4
In response to ribin.jones

‎10-11-2010 10:30 AM

You are correct.  I edited my post to not confuse anyone.

0 Helpful

ribin.jones
Level 1
Level 1
In response to the-lebowski

‎10-11-2010 10:33 AM

Thanks

- Ribin

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card