I am using a MAC access list on this switch, so I go about it by first creating the MAC access list: #conf t #mac access-list extended aclname # permit host XXXX.XXXX.XXXX any Then, I tie this list to all/one port: #conf t #interface gigabit 1/0/Y # mac access-group aclname in So, any traffic coming towards port Y gets checked against the MAC access list, to check if the source is allowed to enter. Then i do a #clear mac address-table dynamic I have done this to many site offices, but there is this particular site which has about 80+ devices that is driving me crazy, this site has a larger number of devices than the rest sites. So everytime i add a mac, another device gets disconnected. I guess my question is: Is there any limitation on this access list? How do you propose I overcome this?
It sounds like you are running out of the limited TCAM space. You could change the SDM.
If you are not using this as a layer-3 switch with routing, you could use the sdm prefer access command to increase the TCAM space for ACLs. This command requires you to reload the switch for it to take effect. This seems like a lot of work for little to no gain. It is very simple to spoof or change a MAC address in a host. Trying to restrict access based on MAC addresses is a fool's game. Anyone could waltz in there and clone a MAC address for his device to connect to your network. There are much better ways to do this.
See, its comments, and its answers. There are also other question and answer on this site if you search.