rss logo

How to Configure MAC Filtering on Cisco Small Business/SG Series Switches

Cisco logo

Here's how to configure mac address filtering from the commands line on Cisco SG switches. This is static filtering.

Mac addresses filtering is a two-stage process. First we create an ACL in which we declare the mac address(es) that will be authorized, then we block everything else. Finally, we assign the ACL to a switch port.

Note: you can also filter mac addresses dynamically using port security, as explained in this link.

Configuration

  • This configuration has been tested on the following switches:
    • Switch model: Cisco SG550X
    • Switch model: Cisco SG350X

Create an ACL

  • Create ACL MF01:
Switch(config)# mac access-list extended MF01
  • Authorize mac address 24:B6:FD:14:08:53:
Switch(config-mac-al)# permit 24:B6:FD:14:08:53 00:00:00:00:00:00 any ace-priority 20
  • Authorize mac address 48:bd:0e:02:ea:41:
Switch(config-mac-al)# permit 48:bd:0e:02:ea:41 00:00:00:00:00:00 any ace-priority 10
  • Authorize mac address family 00:11:xx:xx:xx:xx:
Switch(config-mac-al)# permit 00:11:00:00:00:00 00:00:FF:FF:FF:FF any ace-priority 8
  • Block all other addresses:
Switch(config-mac-al)# deny any any ace-priority 40

Associating the ACL MF01 with switch ports

  • Configure interfaces from ge1/0/4 to ge1/0/18:
Switch(config)# interface range ge1/0/4-18
  • Apply MF01 access list to interfaces:
Switch(config-if-range)# service-acl input MF01
  • If you wish to cancel the previous command, you can disassociate the MF01 access list from the interfaces:
Switch(config-if-range)# no service-acl input MF01

Some Useful Commands

  • Show access list:
Switch# show access-lists MF01
Extended MAC access list MF01
    permit  host 48:bd:0e:02:ea:41 any ace-priority 10
    permit  host 24:b6:fd:14:08:53 any ace-priority 20
    deny    any any ace-priority 40
  • Delete an ACL entry:
Switch(config)# mac access-list extended MF01
Switch(config-mac-al)# no permit 24:B6:FD:14:08:53 00:00:00:00:00:00 any
  • Delete an ACL:
Switch(config)# no mac access-list extended MF01

Installation Example

Let's look at a concrete example: how to allow only the MAC addresses family 00:11 and the address 24:B6:FD:14:08:53. All other addresses will be rejected.

Diagram showing a Cisco switch connected to multiple devices, illustrating MAC addresses filtered or allowed on the network.
  • Create an access list:
Switch(config)# mac access-list extended MF01
  • Authorize address family 00:11:XX:XX:XX:XX:
Switch(config-mac-al)# permit 00:11:00:00:00:00 00:00:FF:FF:FF:FF any
  • Authorize address 24:B6:FD:14:08:53:
Switch(config-mac-al)# permit 24:B6:FD:14:08:53 00:00:00:00:00:00 any
  • Forbid everything else:
Switch(config-mac-al)# deny any any
  • Apply MAC filtering to interfaces ge1/0/1 to ge1/0/24:
Switch(config)# interface range ge1/0/1-24
Switch(config-if-range)# service-acl input MF01