Configuring access policies by MAC address

About this task

Configure access-policies by MAC address to allow or deny local MAC addresses on the network management port after an access policy is activated. If the source MAC does not match a configured entry, the default action is taken. For connections coming in from a different subnet, the source MAC of the last hop is used in decision making. Configuring access-policies by MAC address does not perform MAC or Forwarding Database (FDB) filtering on data ports.

Procedure

  1. Enter Global Configuration mode:

    enable

    configure terminal

  2. Add the MAC address and configure the action for the policy:

    access-policy by-mac <0x00:0x00:0x00:0x00:0x00:0x00> <allow|deny>

  3. Specify the action for a MAC address that does not match the policy:

    access-policy by-mac action <allow|deny>

Example

Add the MAC address:

Switch:1>enable
Switch:1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Switch:1(config)#access-policy by-mac 00–C0–D0–86–BB-E7 allow

Variable Definitions

The following table defines parameters for the access-policy by-mac command.

Variable

Value

<0x00:0x00:0x00:0x00: 0x00:0x00>

Adds a MAC address to the policy. Enter the MAC address in hexadecimal format.

<allow|deny>

Specifies the action to take for the MAC address.