May 06 2015
Deny VLAN Access to a Mac Address on Cisco Catalyst
Mac addresses can be filtered out with port security, mac access lists or even 802.1x port-based authentication with Radius.
Mac access ACL requires a higher end switch while 802.1x authentication is a pretty heavy setup and needs to manage a mac address database on a Radius server.
Port security allows you to permit some mac addresses on a port but what if you don’t know them all? Or want to deny a mac access to a specific vlan?
Here are 2 simple commands that will do the job on a Cisco Catalyst switch
Deny a specific mac address to a particular vlan
Cisco(config)#mac address-table static 0023.64a4.0e8c vlan 49 drop Cisco(config)#do sh mac addr 49 0025.64a4.0e8c STATIC Drop
Force a mac address to work on a particular vlan and port only
Cisco(config)#mac address-table static 0023.64a4.0e8c vlan 48 int fa0/35 Cisco(config)#do sh mac addr 48 0025.64a4.0e8c STATIC Fa0/35
This prevents someone to access the wrong vlan just moving his cable to another port if he has access to the switch cabinet.