Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8272
Views
0
Helpful
5
Replies

MAC filtering

Go to solution
mvsheik123
Level 7
Level 7

‎10-28-2010 01:36 PM - edited ‎03-06-2019 01:46 PM

Hi

Iam planning to enable MAC address filtering (one port on 4510 & another 3560). I want to allow only that MAC address to communicate via that port with the rest of the network and internet.

4510 has PC connected and 3560 had polycom connected.

Does the below is sufficient or Iam missing something...

*****************************************************

4510(config)# mac access-list ext Allowmac
4510(config-ext-macl)# permit host 0000.0000.0001 any    (0000.0000.0001 : Mac of the PC)
4510(config-ext-macl)# denty any any
4510(config-ext-macl)# exit

4510(config)# int g7/40
4510(config-if)# mac access-group Allowmac in

***************************************************

Same on 3560 as well.

TIA

MS

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
andtoth
Level 4
Level 4

‎10-28-2010 01:59 PM

Hi,

It looks fine. Just as a side note, 'deny any any' seems to have a typo there as "denty".

For more details about MAC access-lists, refer to Configuring Named MAC Extended ACLs guide on the following link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/secure.html#wp1051626

Also note that, there's a feature called Port Security which can also limit traffic based on the configured MAC addresses and also you can specify a maximum number of MAC addresses allowed on a port.

Port security enables you to restrict the number of MAC addresses (termed secure MAC addresses) on a port, allowing you to prevent access by unauthorized MAC addresses. It also allows you to configure a maximum number of secure MAC addresses on a given port (and optionally for a VLAN for trunk ports). When a secure port exceeds the maximum, a security violation is triggered, and a violation action is performed based on the violation action mode configured on the port.

If you configure the maximum number of secure MAC addresses as 1 on the port, the device attached to the secure port is assured sole access to the port.

Configuring Port Security

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/port_sec.html

Andras

View solution in original post

0 Helpful

Go to solution
vragotha
Level 3
Level 3

‎10-28-2010 02:24 PM

I believe you may want to look at Port Security unless I understood your requirement wrong

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/port_sec.html

View solution in original post

0 Helpful
5 Replies 5

Go to solution
andtoth
Level 4
Level 4

‎10-28-2010 01:59 PM

Hi,

It looks fine. Just as a side note, 'deny any any' seems to have a typo there as "denty".

For more details about MAC access-lists, refer to Configuring Named MAC Extended ACLs guide on the following link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/secure.html#wp1051626

Also note that, there's a feature called Port Security which can also limit traffic based on the configured MAC addresses and also you can specify a maximum number of MAC addresses allowed on a port.

Port security enables you to restrict the number of MAC addresses (termed secure MAC addresses) on a port, allowing you to prevent access by unauthorized MAC addresses. It also allows you to configure a maximum number of secure MAC addresses on a given port (and optionally for a VLAN for trunk ports). When a secure port exceeds the maximum, a security violation is triggered, and a violation action is performed based on the violation action mode configured on the port.

If you configure the maximum number of secure MAC addresses as 1 on the port, the device attached to the secure port is assured sole access to the port.

Configuring Port Security

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/54sg/configuration/guide/port_sec.html

Andras

0 Helpful

Go to solution
vragotha
Level 3
Level 3

‎10-28-2010 02:24 PM

I believe you may want to look at Port Security unless I understood your requirement wrong

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/37sg/configuration/guides/port_sec.html

0 Helpful

Go to solution
mvsheik123
Level 7
Level 7
In response to vragotha

‎10-29-2010 09:56 AM

Thanks both.. I went with port security.

0 Helpful

Go to solution
haider.rizwan
Level 1
Level 1
In response to mvsheik123

‎02-02-2012 09:33 PM

Hi Experts,

I have 4506E-6L-E core switch. this core switches is connected with unmanagable hubs / Layer-2 in remote buildings. For example Buliding-1 is connected with 4506 port number gi 2/1 then i want to allow 50 MAC address on that port and rest of the MAC address should be blocked. please keep this in mind that port security with MAC limit is fine but if MAC limit will be exceeded or unknown make will be learned then port action is not good. because if my aciton will protect then unwanted users still can communicate and if my action will be shutdown then all users will be down on that port alongwith that one.

I want to restrict all users except allowed MAC address on that port / vlan while port is connected with hubs / un-managable switches.

thanks

Rizwan Haider

0 Helpful

Go to solution
ebarticel
Level 4
Level 4
In response to haider.rizwan

‎02-02-2012 10:16 PM

I think you should separate users at access layer, the ones you want to allow put them into a vlan and another group that you want to deny put them into another vlan and stop the vlan from crossing the trunk links to your core.

Hope this helps

Eugen

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card