Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

filter IP packet base on MAC address


I have studied the document for Catalyst6500 :

the IP traffic and IPX traffic are not access controlled by MAC VACLs. All other traffic types (AppleTalk, DECnet, and so on) are classified as MAC traffic and MAC VACLs are used to access control this traffic.

Can I have any other method to control IP packets based on MAC address? ( permit IP packets by authorized MAC address, deny others ), have any sizing limit? ( my customer have more than 3000 PCs )

Best Regards,

Jackson Ku

Cisco Employee

Re: filter IP packet base on MAC address

The documentation is correct, you cannot apply MAC based ACLs to IP traffic on the Cat6k. You could try using port security to restrict which mac is allowed on a specific port.

Community Member

Re: filter IP packet base on MAC address

port security is a good solution, but we must implement at each edge switch, my customer really need a solution that can centrally restricted unauthorized MAC address to access network, only known & authorized MAC address can access to network?

Best Regards,


Re: filter IP packet base on MAC address

Maybe you could use secure VMPS:

It is centralized. You could set it up to where if the MAC detected on the port is not in the VLAN-MAC database, it will either shut the port down or just deny the frames from that MAC:

"The source MAC address from the first packet of a new host on the dynamic port is sent to VMPS, which attempts to match the MAC address to a VLAN in the VMPS database. If there is a match, VMPS provides the VLAN number to assign to the port. If there is no match, VMPS either denies the request or shuts down the port (depending on the VMPS secure mode setting)."


CreatePlease to create content