May 06 2015

Deny VLAN Access to a Mac Address on Cisco Catalyst

Published by at 10:14 pm under Cisco,Security




Mac addresses can be filtered out with port security, mac access lists or even 802.1x port-based authentication with Radius.

Mac access ACL requires a higher end switch while 802.1x authentication is a pretty heavy setup and needs to manage a mac address database on a Radius server.
Port security allows you to permit some mac addresses on a port but what if you don’t know them all? Or want to deny a mac access to a specific vlan?

Here are 2 simple commands that will do the job on a Cisco Catalyst switch

Deny a specific mac address to a particular vlan

Cisco(config)#mac address-table static 0023.64a4.0e8c vlan 49 drop
Cisco(config)#do sh mac addr
  49    0025.64a4.0e8c    STATIC      Drop

Force a mac address to work on a particular vlan and port only

Cisco(config)#mac address-table static 0023.64a4.0e8c vlan 48 int fa0/35
Cisco(config)#do sh mac addr
  48    0025.64a4.0e8c    STATIC      Fa0/35

This prevents someone to access the wrong vlan just moving his cable to another port if he has access to the switch cabinet.


No responses yet

Trackback URI | Comments RSS

Leave a Reply