MAC filtering on Cisco ESW 520 switch


I'm installing a new switch into a shared office, and I've started playing with 802.x or is it 802.1x :)

Anyway, the idea is that only authorised computers should be able to connect to the network as it is a shared environment, and I wanted to stop any attempt of simply plugging a laptop in and getting an IP address via DHCP, it is a wired ethernet network.  On top of that I have the normal usernames and passwords deal for network resources - but if it is a computer that I am not aware of in the first place, I dont even want it to be able to broadcast a DHCP request on the network.

I figured that I would be able to do this easily with MAC address filtering, and I was informed that the Cisco ESW 520 switch could do this. As we have bar code scanners, the process of getting the MAC address in the first place is trivial.

I figured that all I needed to do was to enter a list of MAC addresses, and the job's done.

However, I am overwhelmed by the configuration on the Cisco ESW 520, and it appears I've bitten off more than I can chew.  

It seems that I need to create ACL's and then associate the ACL's to ports on the switch - I'm completely lost and have no idea how to proceed with what should be a trivial thing.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


on switches usually you can configure the port to allow only statically/manually) defined list of MAC address to connect. Or the switch can learn some first MAC address(es) and it will not allow to other MACs.
If you have a list of all company devices's MAC addresses it would be fine if the device support MAC filtering/authorisation via RADIUS server. According to cisco doc the ESW 520 supports RADIUS 802.1x authentication:

Radius Accounting — Defines the authentication method used for RADIUS
session accounting. Possible field values are:
- 802.1x — 802.1x authentication is used to initiate accounting.
- Login — Login authentication is used to initiate accounting.
- Both — Both 802.1x and login authentication are used to initiate
- None — No authentication is used to initiate accounting.

I am not sure but perhapsit will work  if you enable 802.1x in port Security and set the Authentication method to 'MAC Only' and you will have the RADIUS server running (with database of allowed MAC addresses) and the switches configured to use RADIUS for 802.1x ...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pb969Author Commented:
Yep ( and damn )
I think a radius server might make things better
The attached file is the administration guide for esw 520 switches. If you go to the 802.1x. authentication page, you will see that port authentication can be "mac only" type and preferably you can define the mac address there. If you want to go for all mac address make an acl of all and apply them across the interfaces. I think all answers are there if you go through the quick admin guide. Don't have this switch handy, so cannot exactly define.


pb969Author Commented:
Thanks surbabu,
I already have the admin guide, and it looks like I will need to install a radius server to make it work.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.