mac-address table can be used in control-plane to restrict/allow specific user's pc log in router/switch ?

Hi I would like to setup mac-address acl in control-plane in order to restrict/allow specific user's pc log in router/switch. If I attach the mac-address acl to vty, it looks like it could not work. So I want to attach it to control-plane. Do you think it is Ok ?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Control Panel has no ability to restrict its computer from an arbitrary network based on the MAC address of the network card. So no, I do not think that will work.

The MAC address table is in a router but is not a very secure way of prohibiting a guest or allowing a guest. MAC filtering normally excludes all but listed guests.

I normally secure the server against undesired logins (that is, make server access secure). That way, if a user has a machine they attach to the network, then they need network credentials to logon to the network devices and cannot if they do not have the credentials.

Wireless routers are very secured against unauthorized access.

None of the above is done via Control Panel, however.
Don JohnstonInstructorCommented:
I think you're using "control plane" in too broad of a context.  If you're talking about people logging in to a router or switch, that's management traffic. While technically it's still control plane in that it's going to/from the router or switch, it's characterized separately.

As for controlling it, an ACL tied to the VTY lines is sufficent for most cases.  Doing this with COPP is a lot of work with no benefit.
eemoonAuthor Commented:
Hi Thank you so much for your fast reply.
I am sorry that I typed wrong. The title should be "mac-address acl can be used in control-plane to restrict/allow specific user's pc log in router/switch? " 

Doing this with COPP is a lot of work with no benefit.
If we do not use Copp, how can we resolve this issue ?
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Don JohnstonInstructorCommented:
So you want to block a user from accessing the router or switch based on mac address?

I would try a mac address ACL applied to the VTY lines.  Not sure if you can do that though since the VTY lines are for IP so you might not be able to apply that ACL to a VTY line.

If not, I suppose you could reference a mac ACL in the COPP class map and then police it to basically zero bps in the police statement.  But I've never done that either.
eemoonAuthor Commented:
Thank you so much for your suggestion !
Craig BeckCommented:
I don't think you can use a MAC ACL to restrict access to the VTY lines.  Also, according to Cisco, you can't use MAC ACLs for COPP...

Why are you trying to do this by specifying the MAC address though anyway?  It's far simpler to do it with IP instead.

Have a look at the COPP best practice guide...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.