May 06 2015
How to Deny / Force VLAN Access to a Mac Address on Cisco
Different methods exists to filter out mac addresses on a switch such as:
– port security,
– mac access lists or even
– 802.1x port-based authentication with Radius.
Mac access ACL require a higher end switch while 802.1x authentication is a pretty heavy setup and needs to manage a mac address database on a Radius server.
Port security allows you to accept some mac addresses on a port but what if you don’t have an exhaustive list? Or if you want to deny a mac to access a specific vlan?
All Cisco switches have a basic feature that lets you configure static mac addresses. Here are 2 simple commands that will help in different scenarios.
Deny a Mac Address on a VLAN
You want to prohibit a machine to be on a specific vlan because that vlan has special permissions such as internet access for example while others don’t.
You can deny a specific mac address on a particular vlan with the “drop” option:
Cisco(config)# mac address-table static 0023.64a4.0e8c vlan 49 drop
Cisco(config)# do show mac address
49 0025.64a4.0e8c STATIC Drop
Force a Mac Address on a VLAN
You can make it work the other way around. Force a mac address to work on a particular vlan and port only, to make sure it is isolated from the rest of the network (if the vlan is configured that way). Think of that old Windows XP running an old piece of software you cannot get rid of 🙂
Cisco(config)# mac address-table static 0023.64a4.0e8c vlan 48 int fa0/35
Cisco(config)# do show mac address
48 0025.64a4.0e8c STATIC Fa0/35
This prevents anyone to access the wrong vlan just moving the network cable to another port – intentionally or accidentally – if he has access to the network cabinet.