Question about using extended mac access-lists

osmhquser · ‎05-06-2013

I have a few questions about setting up extended mac access-lists. Using what we have in place now with the switches, we are trying to prevent unauthorized devices from connecting to the network. Using port-security at this time is not an option.

We are using the Cisco WS-C3750G-24PS and WS-C3750G-48PS port switches throughout all our field offices. When creating a mac access-list extended, is there a maximum limit to the acl? The list could potentially contain anywhere from 1,500 to 2000 entries.

Also, after creating an initial mac access-list, I noticed that I'm unable to add the 'log' statement to the end of my 'deny any any' statement. Is there some other way to get info about systems who's mac-address isn't listed in the mac acl? We are trying to get notified either through syslog or snmp about someone potentially trying to connect to network.

Thx for any response given.

cadet alain · ‎05-06-2013

Hi,

this feature will send you a SNMP trap when a new MAC is added or a MAC is deleted from CAM table:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/commmand/reference/cli1.html#wp11902728

I think you should be using dot1x and MAB to prevent unknown machines from connecting:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/commmand/reference/cli1.html#wp11902728

Regards

Alain

Don't forget to rate helpful posts.

osmhquser · ‎05-07-2013

I configured the snmp trap and are receiving them on my snmp monitor system. However, I'm not seeing any associated mac-addresses.