[c-nsp] mac filter on switch

Peter Rathlev peter at rathlev.dk
Tue May 23 13:23:47 EDT 2017

> 2017-05-23 17:01 GMT+02:00 Peter Rathlev <peter at rathlev.dk>:
> > Maybe "switchport port-security" with static addresses will do what
> > you want?

On Tue, 2017-05-23 at 17:33 +0200, james list wrote:
> it seems fine, do you have an idea if it's possible to use the mask
> for the mac ?
> Something like:
> mac access-list extended secure-mac
>  permit 40aa.zz00.0000 0000.00ff.ffff any
> It seems I've to list all the mac address and is not possible to use
> a mask.

I convinced you cannot use masks with "switchport port-security".

If you need more flexibility then a simple 802.1X implementation with a
RADIUS-server is perhaps a solution. It's possible to have FreeRADIUS
(and probably other RADIUS servers) use regular expressions to match
the username/MAC address. It is of course more complex and leads to the
switch being dependent on a reachable RADIUS-server...


More information about the cisco-nsp mailing list