cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1269
Views
2
Helpful
19
Replies

Allow connection by mac address?

KGrev
Level 4
Level 4

Hi,

I have a list of 20 mac addresses. These devices will move around constantly and connect at different locations. Is there a way I can place this list in the switches and allow only these mac addresses input into vlan 800 for example? So the ports would be open but only allowing these macs to connect if detected?

Thanks for any help.

19 Replies 19

ARPA, sorry typo 

I should update, this seems to work for a moment and keep a specific mac that i didn't add from working. But a few minutes later everything in that vlan is blocked. Also in this time the devices in that vlan can not ping/access each other.

this after you use my config I share ?

Correct sir. With the latest information all devices in vlan 2010 get blocked when I add:
vlan access-map MAC_TRUST_EX 20
action drop

Here is what I have currently:


vlan filter MAC_TRUST_EX vlan-list 2010


vlan access-map MAC_TRUST_EX 10
match mac address MAC_TRUST_EX
action forward

vlan access-map MAC_TRUST_EX 20
action drop


Extended MAC access list MAC_TRUST_EX
permit host 80ce.b1ad.fece any
permit host a813.74d1.0dfc any
permit host bcc3.4298.9cb0 any
permit host bcc3.429a.841d any
permit host bcc3.42c3.0f22 any
permit host fc3f.db10.09fb any
permit host fc3f.db10.0a9e any
permit host fc3f.db10.0af8 any
permit host fc3f.db10.0b00 any
permit host fc3f.db10.0b1b any
permit host fc3f.db10.0b1f any
permit host fc3f.db10.0b27 any
permit host fc3f.db10.0b31 any
permit host fc3f.db10.0ba8 any
permit host fc3f.db10.0b0c any
permit host 64f6.9d29.29c2 any --Vlan GW
permit any any 0x806 0x0   <--This is ARP I believe based off your previous link.

 

Hi Freind, 
I spent two days checking 
I already done VALN access-map with host but for MAC it first time, 
so I deep dive in MAC ACL and bridging in VLAN 
the issue is MAC ACL can not filter the IPv4/IPv6 packet it can filter the ARP 0x806 
so I try using lab gns3 and failed I think it limitation of gns3 not real config issue 
anyway 
permit host 80ce.b1ad.fece  host a813.74d1.0dfc 0x806 <<- add this only under MAC ACL and apply action forward 
permit any any <<- use this MAC acl and apply action drop 

then check here only these two mac address can connect to each other in same VLAN, other host will deny 

thanks 
MHM

Review Cisco Networking for a $25 gift card