MAC Access Lists

Just as we can create access lists based on IP addresses, we can also create access lists based on MAC addresses. The first section sets up an extended access list based on MAC address named mac_filter. It then adds an allow statement for a single host with the MAC address 00 00 00 00 00 00, and allows it access to any other host. This is followed by a deny any any, which will deny any other host (that isn't 00 00 00 00 00 00) from passing packets to any other host via this interface.

Switch(config)#mac access-list extended mac_filter
Switch(config-ext-nacl)#permit host 0000.0000.0000 any
Switch(config-ext-nacl)#deny any any
Switch(config-ext-nacl)#exit

After the access list is created it is applied to the interface just as it would be if it were an IP access list.

Switch(config)#interface GigabitEthernet1/0/1
Switch(config-if)#mac access-group mac_filter in
Switch(config)#exit