10-11-2010 09:43 AM - edited 03-06-2019 01:26 PM
Hi,
I have a Cisco 3560 layer 3 switch where I have 5 VLAN's. I have edge switches placed for each vlan for connecting the computers/laptops. A DHCP server in one of the vlan servs a dynamic IP if a user connects a laptop/computer to one of the port in the layer 2 edge switch.
My requirement is to restrict any outside user with a laptop from entering our network by just plugging a cable to the L2 edge switch.
Is it possible to say a rule in L3 switch giving access for computers/laptops whose mac-id's are already defined in the L3? If so, how do I do it?
Thanks for any response,
- Ribin
10-11-2010 09:57 AM
You have to know all the allowed mac-addresses..then you can do an ACL or port security to filter out unwanted MAC adresses.
10-11-2010 10:05 AM
Hi,
Yes..I have all the mac-id's list. How can I do it? Can you guide me with the config?
Note:- The computers/laptops will not be connected directly to the Layer 3 switch , it will be connected to a layer 2 switch which comes under the Layer 3 switch. Will this be a problem?
- Ribin
10-11-2010 10:21 AM
Doesn't matter, you will do the filtering on your switches, specifically on the ports on question. If its all of them, create the ACL and issue the int range xxxx to apply that access-group on all your ports.
This should do it IF you know all the mac addresses that you want to allow:
sw(config)# mac access-list extended MAC_ADDRESS
sw(config-ext-macl)# permit host
sw(config-ext-macl)# permit host
sw(config-ext-macl)# permit host
sw(config-ext-macl)# permit host
sw(config-ext-macl)# exit
sw(config)# int g1/0/40
sw(config-if)# mac access-group MAC_ADDRESS in
"After receiving a packet, the switch checks it against the inbound ACL. If the ACL permits it, the switch continues to process the packet. If the ACL rejects the packet, the switch discards it. When you apply an undefined ACL to an interface, the switch acts as if the ACL has not been applied and permits all packets. Remember this behavior if you use undefined ACLs for network security."
10-11-2010 10:29 AM
Thanks, i will give it a try.
In the config you provided,
sw(config)# mac access-list extended MAC_ADDRESS
you have used the acl name as "MAC_ADDRESS", but
sw(config)# int g1/0/40
sw(config-if)# mac access-group filtermac in
I guess it is "MAC_ADDRESS" and not filtermac. Am I right?
- Ribin
10-11-2010 10:30 AM
You are correct. I edited my post to not confuse anyone.
10-11-2010 10:33 AM
Thanks
- Ribin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide