how to use mac access list

rohan jadhav · ‎08-25-2011

how to use mac access list n switches

on which switches this feature will run

hobbe · ‎08-25-2011

Well this is my view on the subject.

mac address access-lists are for use when the ip access lists does not work.

well when is that then.

fx if you have 3 computers in the same network and you want them all to be able to send information to the gateway and two of them needs to send huge amounts of backup data between them.

a vlan could do the trick, or routing but that would cost loads of routing overhead.

If you do a ip access-list on the ports that face the windows machines you will still se that they can communicate.

This is due to that not all communication is over tcp/ip, some might be over some other protocol such as netbios or ipx/spx.

Since you can not do access-lists for every type of protocol (or you can but that would be very costly to implement and very non standard) they simply take the lowest common denominator ie the mac address and filter on that instead.

That way you can filter all the protocols, but well its kind of crude but effective.

I love to put them in fx DMZ and so on where communication between different machines are not desireable but with other machines are needed.

Some things you can help up with fx a vlan but others might be more practical with fx mac-address access-lists.

so it is just another tool to help you protect your network.

What switches can do this ?

I am not shure but I think all cisco switches can do this. I can not remember that I have needed it and not been able to have it.

On the other hand it is quite seldom i need it.

Good luck

HTH

Florin Barhala · ‎08-26-2011

You should use mac access-list on ACCESS level switches mainly for security reasons. This is not a very used feature but again it depends of your scenario requirements.