{"id":847,"date":"2015-05-06T22:14:05","date_gmt":"2015-05-06T20:14:05","guid":{"rendered":"http:\/\/www.netexpertise.eu\/en\/?p=847"},"modified":"2021-05-02T08:22:11","modified_gmt":"2021-05-02T06:22:11","slug":"deny-vlan-access-to-a-mac-address-on-cisco-catalyst","status":"publish","type":"post","link":"http:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html","title":{"rendered":"How to Deny \/ Force VLAN Access to a Mac Address on Cisco"},"content":{"rendered":"\n

Different methods exists to filter out mac addresses on a switch such as:
port security<\/a>,
mac access lists<\/a> or even
802.1x port-based authentication<\/a> with Radius.

Mac access ACL require a higher end switch while 802.1x authentication is a pretty heavy setup and needs to manage a mac address database on a Radius server.
Port security allows you to accept some mac addresses on a port but what if you don’t have an exhaustive list? Or if you want to deny a mac to access a specific vlan?

All Cisco<\/a> switches have a basic feature that lets you configure static mac addresses. Here are 2 simple commands that will help in different scenarios.

<\/p>\n\n\n\n

Deny a Mac Address on a VLAN<\/h3>\n\n\n\n

You want to prohibit a machine to be on a specific vlan because that vlan has special permissions such as internet access for example while others don’t.
You can deny a specific mac address on a particular vlan with the “drop” option:

<\/p>\n\n\n\n

Cisco(config)# mac address-table static 0023.64a4.0e8c vlan 49 drop\nCisco(config)# do show mac address\n  49    0025.64a4.0e8c    STATIC      Drop<\/code><\/pre>\n\n\n\n

Force a Mac Address on a VLAN<\/h3>\n\n\n\n
You can make it work the other way around. Force a mac address to work on a particular vlan and port only, to make sure it is isolated from the rest of the network (if the vlan is configured that way). Think of that old Windows XP running an old piece of software you cannot get rid of \ud83d\ude42

<\/p>\n\n\n\n
Cisco(config)# mac address-table static 0023.64a4.0e8c vlan 48 int fa0\/35\nCisco(config)# do show mac address\n  48    0025.64a4.0e8c    STATIC      Fa0\/35<\/code><\/pre>\n\n\n\n

This prevents anyone to access the wrong vlan just moving the network cable to another port – intentionally or accidentally – if he has access to the network cabinet.<\/p>\n","protected":false},"excerpt":{"rendered":"
Different methods exists to filter out mac addresses on a switch such as:– port security,– mac access lists or even– 802.1x port-based authentication with Radius. Mac access ACL require a higher end switch while 802.1x authentication is a pretty heavy setup and needs to manage a mac address database on a Radius server.Port security allows […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"categories":[21,32],"tags":[388,378,377,364],"yoast_head":"\nNetexpertise - How to Deny \/ Force VLAN Access to a Mac Address on Cisco<\/title>\n<meta name=\"description\" content=\"Deny or force a mac address to belong to a specific vlan interface on a Cisco switch configuring static mac address entries\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Netexpertise - How to Deny \/ Force VLAN Access to a Mac Address on Cisco\" \/>\n<meta property=\"og:description\" content=\"Deny or force a mac address to belong to a specific vlan interface on a Cisco switch configuring static mac address entries\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html\" \/>\n<meta property=\"og:site_name\" content=\"Netexpertise\" \/>\n<meta property=\"article:published_time\" content=\"2015-05-06T20:14:05+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2021-05-02T06:22:11+00:00\" \/>\n<meta name=\"author\" content=\"dave\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@netexpertise\" \/>\n<meta name=\"twitter:site\" content=\"@netexpertise\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html\",\"url\":\"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html\",\"name\":\"Netexpertise - How to Deny \/ Force VLAN Access to a Mac Address on Cisco\",\"isPartOf\":{\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#website\"},\"datePublished\":\"2015-05-06T20:14:05+00:00\",\"dateModified\":\"2021-05-02T06:22:11+00:00\",\"author\":{\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\"},\"description\":\"Deny or force a mac address to belong to a specific vlan interface on a Cisco switch configuring static mac address entries\",\"breadcrumb\":{\"@id\":\"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"http:\/\/www.netexpertise.eu\/en\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"How to Deny \/ Force VLAN Access to a Mac Address on Cisco\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#website\",\"url\":\"http:\/\/www.netexpertise.eu\/en\/\",\"name\":\"Netexpertise\",\"description\":\"Systems \/ Networks \/ DevOps\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.netexpertise.eu\/en\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa\",\"name\":\"dave\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/\",\"url\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"contentUrl\":\"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g\",\"caption\":\"dave\"},\"sameAs\":[\"http:\/\/www.netexpertise.eu\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Netexpertise - How to Deny \/ Force VLAN Access to a Mac Address on Cisco","description":"Deny or force a mac address to belong to a specific vlan interface on a Cisco switch configuring static mac address entries","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html","og_locale":"en_US","og_type":"article","og_title":"Netexpertise - How to Deny \/ Force VLAN Access to a Mac Address on Cisco","og_description":"Deny or force a mac address to belong to a specific vlan interface on a Cisco switch configuring static mac address entries","og_url":"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html","og_site_name":"Netexpertise","article_published_time":"2015-05-06T20:14:05+00:00","article_modified_time":"2021-05-02T06:22:11+00:00","author":"dave","twitter_card":"summary_large_image","twitter_creator":"@netexpertise","twitter_site":"@netexpertise","schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html","url":"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html","name":"Netexpertise - How to Deny \/ Force VLAN Access to a Mac Address on Cisco","isPartOf":{"@id":"http:\/\/www.netexpertise.eu\/en\/#website"},"datePublished":"2015-05-06T20:14:05+00:00","dateModified":"2021-05-02T06:22:11+00:00","author":{"@id":"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa"},"description":"Deny or force a mac address to belong to a specific vlan interface on a Cisco switch configuring static mac address entries","breadcrumb":{"@id":"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.netexpertise.eu\/en\/networking\/cisco\/deny-vlan-access-to-a-mac-address-on-cisco-catalyst.html#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"http:\/\/www.netexpertise.eu\/en"},{"@type":"ListItem","position":2,"name":"How to Deny \/ Force VLAN Access to a Mac Address on Cisco"}]},{"@type":"WebSite","@id":"http:\/\/www.netexpertise.eu\/en\/#website","url":"http:\/\/www.netexpertise.eu\/en\/","name":"Netexpertise","description":"Systems \/ Networks \/ DevOps","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.netexpertise.eu\/en\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Person","@id":"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/cb4cd666549d22e9070ec1cfc1a496fa","name":"dave","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"http:\/\/www.netexpertise.eu\/en\/#\/schema\/person\/image\/","url":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","contentUrl":"http:\/\/1.gravatar.com\/avatar\/1129916e1f4955bd632f27f836f64e55?s=96&d=mm&r=g","caption":"dave"},"sameAs":["http:\/\/www.netexpertise.eu"]}]}},"_links":{"self":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/847"}],"collection":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/comments?post=847"}],"version-history":[{"count":0,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/posts\/847\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/media?parent=847"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/categories?post=847"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.netexpertise.eu\/en\/wp-json\/wp\/v2\/tags?post=847"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}