Netexpertise

May 06 2015

Deny VLAN Access to a Mac Address on Cisco Catalyst

Published by dave at 10:14 pm under Cisco,Security

Mac addresses can be filtered out with port security, mac access lists or even 802.1x port-based authentication with Radius.

Mac access ACL requires a higher end switch while 802.1x authentication is a pretty heavy setup and needs to manage a mac address database on a Radius server.
Port security allows you to permit some mac addresses on a port but what if you don’t know them all? Or want to deny a mac access to a specific vlan?

Here are 2 simple commands that will do the job on a Cisco Catalyst switch

Deny a specific mac address to a particular vlan

Cisco(config)#mac address-table static 0023.64a4.0e8c vlan 49 drop
Cisco(config)#do sh mac addr
  49    0025.64a4.0e8c    STATIC      Drop

Force a mac address to work on a particular vlan and port only

Cisco(config)#mac address-table static 0023.64a4.0e8c vlan 48 int fa0/35
Cisco(config)#do sh mac addr
  48    0025.64a4.0e8c    STATIC      Fa0/35

This prevents someone to access the wrong vlan just moving his cable to another port if he has access to the switch cabinet.

Tags: Cisco, Mac Address, network, Switch, VLAN

No responses yet

Trackback URI | Comments RSS

Categories
- Database (10)
  - Ldap (2)
  - Mysql (7)
  - Oracle (1)
  - Postgresql (1)
- Mail (5)
  - Exchange (5)
- Misc (12)
  - Apache (5)
  - GLPI (2)
- Networking (20)
  - Cisco (8)
  - Fortinet (2)
  - Freeradius (10)
  - Monitoring (3)
- Security (7)
  - SSH (3)
- Storage (2)
- Systems (67)
  - Aix (3)
  - AS400 (13)
  - Backup (2)
  - Linux (29)
  - Solaris (3)
  - Virtualization (3)
  - Windows (20)

Get your projects done with Netexpertise
contact us »

Yearly
- 2018 (1)
- 2017 (6)
- 2016 (6)
- 2015 (10)
- 2014 (4)
- 2013 (6)
- 2012 (5)
- 2011 (8)
- 2010 (11)
- 2009 (24)
- 2008 (14)
- 2007 (7)
- 2006 (4)

Systems & Networks

Deny VLAN Access to a Mac Address on Cisco Catalyst

Leave a Reply

Categories

Yearly