Re: Allow connection by mac address?

KGrev · ‎06-06-2023

Hi,

I have a list of 20 mac addresses. These devices will move around constantly and connect at different locations. Is there a way I can place this list in the switches and allow only these mac addresses input into vlan 800 for example? So the ports would be open but only allowing these macs to connect if detected?

Thanks for any help.

Flavio Miranda · ‎06-06-2023

Hi

It will depend on your switch. If they run IOS XE version 17.1 you can create Access List and permit those mac address.

https://content.cisco.com/chapter.sjs?uri=/searchable/chapter/content/en/us/td/docs/routers/ncs5xx/ncs520/configuration/guide/sec-usr-ssh/17-1-1/b-sec-data-acl-xe-17-1-1-ncs520/b-sec-data-acl-xe-17-1-1-ncs520_chapter_011.html.xml

KGrev · ‎06-06-2023

@Flavio Mirandathanks for your response.
Correct me if i'm wrong but that method will be ineffective if the connected device tries to reach outside of its gateway right? Like if it gets an ip and begins to send layer 3 traffic?

Flavio Miranda · ‎06-06-2023

It should be to permit or not the device onboard on the switch by filtering the mac address. The Access-list will not look into layer3 communication. For this, you need to use Layer3 access-list if you need to block layer3 traffic.

MHM Cisco World · ‎06-06-2023

You can use mac acl apply to vlan map'

But I want to make sure about one point' these host in vlan 888 if want to connect to other host in any other subnet need mac address of SVI (GW) so you need to permit traffic from these mac to mac of GW also you need to permit mac to ffff.ffff.ffff for dhcp server.

KGrev · ‎06-06-2023

@MHM Cisco WorldThanks for your response.
Would something like this work to allow certain macs to access vlan 2010?

vlan filter MAC_TRUST_EX vlan-list 2010

vlan access-map MAC_TRUST_EX 2010
match mac address MAC_TRUST_EX
action forward

Extended MAC access list MAC_TRUST_EX
permit host 80ce.b1ad.fece any
permit host a813.74d1.0dfc any
permit host bcc3.4298.9cb0 any
permit host bcc3.429a.841d any
permit host bcc3.42c3.0f22 any
permit host fc3f.db10.09fb any
permit host fc3f.db10.0a9e any
permit host fc3f.db10.0af8 any
permit host fc3f.db10.0b00 any
permit host fc3f.db10.0b1b any
permit host fc3f.db10.0b1f any
permit host fc3f.db10.0b27 any
permit host fc3f.db10.0b31 any
permit host fc3f.db10.0ba8 any
permit host fc3f.db10.0b0c any

MHM Cisco World · ‎06-06-2023

permit host <gw mac address> any

This need also

Do you use dhcp server??

KGrev · ‎06-06-2023

The dhcp server is on another switch a few hops away. Would that need to be added if its not on the same switch and a few hops away?

MHM Cisco World · ‎06-06-2023

No need I think the SVI will be dhcp helper and need mac of dhcp.

Note:- I will check last puzzle for this task the arp between hosts and between hosts and GW.

MHM Cisco World · ‎06-06-2023

https://www.cisco.com/c/en/us/support/docs/switches/catalyst-3550-series-switches/64844-mac-acl-block-arp.html

And here the answer for arp issue in mac acl

KGrev · ‎06-06-2023

@MHM Cisco WorldThanks for your help. This appears to be doing something but when all is applied the devices in the vlan can not reach each other.

MHM Cisco World · ‎06-06-2023

can I see the last config

KGrev · ‎06-07-2023

@MHM Cisco WorldCertainly,

vlan filter MAC_TRUST_EX vlan-list 2010

vlan access-map MAC_TRUST_EX 10
match mac address MAC_TRUST_EX
action forward

Extended MAC access list MAC_TRUST_EX
permit host 80ce.b1ad.fece any
permit host a813.74d1.0dfc any
permit host bcc3.4298.9cb0 any
permit host bcc3.429a.841d any
permit host bcc3.42c3.0f22 any
permit host fc3f.db10.09fb any
permit host fc3f.db10.0a9e any
permit host fc3f.db10.0af8 any
permit host fc3f.db10.0b00 any
permit host fc3f.db10.0b1b any
permit host fc3f.db10.0b1f any
permit host fc3f.db10.0b27 any
permit host fc3f.db10.0b31 any
permit host fc3f.db10.0ba8 any
permit host fc3f.db10.0b0c any
permit host 64f6.9d29.29c2 any --Vlan GW

Should I also add?:
vlan access-map MAC_TRUST_EX 20
action drop

MHM Cisco World · ‎06-07-2023

vlan access-map MAC_TRUST_EX 10
match mac address MAC_TRUST_EX
action forward
!
Extended MAC access list MAC_TRUST_EX
permit host 80ce.b1ad.fece any <<- I remove other MAC to make my answer short
permit any any arpa
permit host 64f6.9d29.29c2 any --VLAN GW
!

vlan access-map MAC_TRUST_EX 20
action drop

vlan filter MAC_TRUST_EX vlan-list 2010

try this

KGrev · ‎06-07-2023

@MHM Cisco Worldpermit AARP? "Appletalk ARP"?