Thanks for your reply Flavio.

I've seen that command on another post, but if I understood correctly, it only blocks one MAC address at a time, for one VLAN and for only one switch.

I'd like a way to easily apply the mentioned command for several MAC addresses, on several switches and for all VLANs.

I mean, instead of blocking one MAC address at time on each VLAN for each switch, one by one, I'd like to do it in a bulk.

Also, this is for blocking, which would be fine for now for cases where we know the device we'd want to block, but my goal is actually to have everything blocked by default and only allow specific MAC addresses (my known devices), so that anything that is unknown by us gets automatically blocked by the switch.

Use vlan access-map with match mac list.

Now for mac you can use vendor mac adress in mac access list'

For example cisco start with 00c0.xxxx.xxxx so you can 0c00 in mac acl.

Thanks @MHM Cisco World.

I'll have to look and study on this.

Hi

 Well, in that case I believe you need a more complex solution.  You can take a look in radius solutions. It i not necessary needs to be Cisco but Cisco have ISE for that purpose. 

 I dont believe you can achieve what you want only with the switch config.

Thanks @Flavio Miranda.

I thought there would not be an easy way, because I couldn't find anything on the web.

I thought that this kind of security would be implemented within the switches, but I guess I was wrong.

As for the Radius, I can't use that on my network because the main company doesn't allow me to deal with it.

As for ISE, I haven't looked deeply into it, but from the little that I saw, it will probably be something my management will not approve due to high costs involved. 🤦🏻‍

But thanks for your suggestions!

Thanks a lot @Flavio Miranda.

I don't have the time right now, but will certainly look into studying about this.

Hope that this works for me.

other solution waist of time, that not right many use mac ACL and it work for network with low budget. 
the hacker if know the Mac address he can also Easly know the username/password

@criscabellos try mac acl and check result.   

Thanks @MHM Cisco World !

I'll have a look at this as well.

Thanks for your reply @leo.

Unfortunately that won't work for me.

First because there are no unused ports.

Second because even for those used ports, unfortunately I have some users that tend to bring their own devices or visitors without notifying anyone at the company before plugging their device into our ports, and remove whatever is currently connected to connect their own device. 

Our company has a policy of not allowing any unknown device to be used within our network, but even so, the company is not allowed to looked into everyone's personal bag. Also, with hundreds of employees, this would make an impracticable approach.

I need a logical way to deal with this, but also a way that is not expensive and that is practical in management throughout all my network devices (centralized).

I've tried blocking via DHCP and that works great for most cases, but I need something for all cases, because if someone knows our network settings, they are able to set their device with manual configuration. I have also a VLAN segmentation which also reduces risks, but it is not a 100% solution.

My thoughts were to block everything at the switch level and only allow my known devices list.

Since unfortunately Cisco switches don't have that security feature as easily manageable as I'd like it to be, as mentioned earlier, I'm looking for alternative solutions now.

I've looked into Cisco ISE as mentioned by Flavio Miranda, but although that might work for me, it is very expensive and I already know my company will not approve to get that solution.