iamalpine
asked on
How do i apply multiple mac addresses on multiple ports for port security.
I have got a training room which has got 12 network points. I need to ensure that these 12 network points provide connectivity only to 12 desktops and 5 laptops. Any desktop or any laptops can connect on any of these 12 points. i tried the following
switchport port-security maximum 16
switchport port-security
switchport port-security violation protect
switchport port-security mac-address 1111.2222.3333
switchport port-security mac-address 4444.5555.6666
switchport port-security mac-address 7777.8888.9999
switchport port-security mac-address 0000.1111.2222
switchport port-security mac-address 3333.4444.5555
switchport port-security mac-address 6666.7777.8888
switchport port-security mac-address 9999.0000.1111
switchport port-security mac-address 2222.3333.4444
switchport port-security mac-address 5555.6666.7777
switchport port-security mac-address 8888.9999.0000
switchport port-security mac-address 1234.5678.9012
switchport port-security mac-address 3456.7890.1234
switchport port-security mac-address 5678.9012.3456
switchport port-security mac-address 7890.1234.5678
switchport port-security mac-address 9012.3456.7890
When i enter these commands on one port it accepts it. The moment I enter this same command on another port on the same switch it says duplicate mac address.
So I tried using a access list.
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
and applied this acl on a interface.
It still does not work. If i connect any other device on this port it gets connected. Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
switchport port-security maximum 16
switchport port-security
switchport port-security violation protect
switchport port-security mac-address 1111.2222.3333
switchport port-security mac-address 4444.5555.6666
switchport port-security mac-address 7777.8888.9999
switchport port-security mac-address 0000.1111.2222
switchport port-security mac-address 3333.4444.5555
switchport port-security mac-address 6666.7777.8888
switchport port-security mac-address 9999.0000.1111
switchport port-security mac-address 2222.3333.4444
switchport port-security mac-address 5555.6666.7777
switchport port-security mac-address 8888.9999.0000
switchport port-security mac-address 1234.5678.9012
switchport port-security mac-address 3456.7890.1234
switchport port-security mac-address 5678.9012.3456
switchport port-security mac-address 7890.1234.5678
switchport port-security mac-address 9012.3456.7890
When i enter these commands on one port it accepts it. The moment I enter this same command on another port on the same switch it says duplicate mac address.
So I tried using a access list.
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
and applied this acl on a interface.
It still does not work. If i connect any other device on this port it gets connected. Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
ASKER
This switch is connected to the core via 2 gig fibre ports. I have put port mode violation on protect mode.
Which would mean that for any unauthorized laptop it will block only that laptop or block all ports of the switch. I will try this out tomorrow.
Why does the extended acl does not work. That should work am I doing anything wrong with the acl. I did the following
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
int g1/0/2
access-group allowed in
int g1/0/3
access-group allowed in
do i need to add a deny statement to the acl.so that it blocks anything aprt from these mac addreses.
what other options do i have.I know I wont buy the secure server from cisco. I need to make this work somehow.
Which would mean that for any unauthorized laptop it will block only that laptop or block all ports of the switch. I will try this out tomorrow.
Why does the extended acl does not work. That should work am I doing anything wrong with the acl. I did the following
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
int g1/0/2
access-group allowed in
int g1/0/3
access-group allowed in
do i need to add a deny statement to the acl.so that it blocks anything aprt from these mac addreses.
what other options do i have.I know I wont buy the secure server from cisco. I need to make this work somehow.
It appears that you're trying to do a VACL (VLAN Access Control List). It uses a completely different syntax.
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html
ASKER
no its not a vacl its a extended acl for mac addreses. typically this acl should permit only what is in it and deny all others. but it does not do that.it allows all hosts to connect.
So what is the g1/0/2 and g1/0/3 interface connected to?
ASKER
those are just interfaces where the desktops are connected. the switches have all gig ports.
ASKER
i checked this if port violation is put on protect mode and a new deivce is connected it block all. till the port is shut down and started again. is there any solution to my query. or is Cisco ACS the only answer.
No. Another solution would be 802.1x with ACS
Question was asked and answered.
ASKER
my questions is as given below
Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
my purpose didnt get solved. but if you still think that i should award you points for something which has not happened i will do that.
Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
my purpose didnt get solved. but if you still think that i should award you points for something which has not happened i will do that.
>Is there a way to do what i want via the IOS only.
>My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room.
I provided a couple possible solutions. Just because you don't like the answers doesn't mean it's not an answer.
I still think closest solution is to use port security on the upstream switch, statically define the 12 MAC addresses and use "protect" on a violation. It still won't keep the unauthorized PC from communicating with the other 12 devices, but that's the best you're going to get without an external solution.
>My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room.
I provided a couple possible solutions. Just because you don't like the answers doesn't mean it's not an answer.
I still think closest solution is to use port security on the upstream switch, statically define the 12 MAC addresses and use "protect" on a violation. It still won't keep the unauthorized PC from communicating with the other 12 devices, but that's the best you're going to get without an external solution.
ASKER
as i said it did not sort the problem i had. i had also got these details from the cisco site.but since you are so true and think you deserve the points here you go.
i practically tried the solutions which you gave me. my question was to do port security based on mac address. you suggest me securing one port and using that as uplink.
anyways no more comments you have been awarded the points for something that did not work for me.
thanks for trying to help anyways
i practically tried the solutions which you gave me. my question was to do port security based on mac address. you suggest me securing one port and using that as uplink.
anyways no more comments you have been awarded the points for something that did not work for me.
thanks for trying to help anyways
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
satisfied
What you could do is apply the port security to the port on the switch that connects to the switch for the training room.
The only problem is that when an unauthorized MAC is learned, the port on the upstream switch will go into protect mode and all devices in the classroom will be isolated.