How to Configure MAC Filtering on Cisco Small Business/SG Series Switches

Last updated: Nov 11, 2024

Here's how to configure mac address filtering from the commands line on Cisco SG switches. This is static filtering.

Mac addresses filtering is a two-stage process. First we create an ACL in which we declare the mac address(es) that will be authorized, then we block everything else. Finally, we assign the ACL to a switch port.

Note: you can also filter mac addresses dynamically using port security, as explained in this link.

Configuration

This configuration has been tested on the following switches:
- Switch model: Cisco SG550X
- Switch model: Cisco SG350X

Create an ACL

Create acl MF01:

Switch(config)# mac access-list extended MF01

Authorize mac address 24:B6:FD:14:08:53:

Switch(config-mac-al)# permit 24:B6:FD:14:08:53 00:00:00:00:00:00 any ace-priority 20

Authorize mac address 48:bd:0e:02:ea:41:

Switch(config-mac-al)# permit 48:bd:0e:02:ea:41 00:00:00:00:00:00 any ace-priority 10

Authorize mac address family 00:11:xx:xx:xx:xx:

Switch(config-mac-al)# permit 00:11:00:00:00:00 00:00:FF:FF:FF:FF any ace-priority 8

Block all other addresses:

Switch(config-mac-al)# deny any any ace-priority 40

Associating the ACL MF01 with switch ports

Configure interfaces from ge1/0/4 to ge1/0/18:

Switch(config)# interface range ge1/0/4-18

Apply MF01 access list to interfaces:

Switch(config-if-range)# service-acl input MF01

If you wish to cancel the previous command, you can disassociate the MF01 access list from the interfaces:

Switch(config-if-range)# no service-acl input MF01

Some Useful Commands

Show access list:

Switch# show access-lists MF01
Extended MAC access list MF01
    permit  host 48:bd:0e:02:ea:41 any ace-priority 10
    permit  host 24:b6:fd:14:08:53 any ace-priority 20
    deny    any any ace-priority 40

Delete an acl entry:

Switch(config)# mac access-list extended MF01
Switch(config-mac-al)# no permit 24:B6:FD:14:08:53 00:00:00:00:00:00 any

Delete an acl:

Switch(config)# no mac access-list extended MF01

Installation Example

Let's look at a concrete example: how to allow only the MAC addresses family 00:11 and the address 24:B6:FD:14:08:53. All other addresses will be rejected.

Diagram showing a Cisco switch connected to multiple devices, illustrating MAC addresses filtered or allowed on the network.

Create an access list:

Switch(config)# mac access-list extended MF01

Authorize address family 00:11:XX:XX:XX:XX:

Switch(config-mac-al)# permit 00:11:00:00:00:00 00:00:FF:FF:FF:FF any

Authorize address 24:B6:FD:14:08:53:

Switch(config-mac-al)# permit 24:B6:FD:14:08:53 00:00:00:00:00:00 any

Forbid everything else:

Switch(config-mac-al)# deny any any

Apply MAC filtering to interfaces ge1/0/1 to ge1/0/24:

Switch(config)# interface range ge1/0/1-24
Switch(config-if-range)# service-acl input MF01

Computing

Music

Misc