Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

How do i apply multiple mac addresses on multiple ports for port security.

Posted on 2008-06-17
16
Medium Priority
?
409 Views
Last Modified: 2009-01-14
I have got a training room which has got 12 network points. I need to ensure that these 12 network points provide connectivity only to 12 desktops and 5 laptops. Any desktop or any laptops can connect on any of these 12 points. i tried the following
switchport port-security maximum 16
switchport port-security
switchport port-security violation protect
switchport port-security mac-address 1111.2222.3333
switchport port-security mac-address 4444.5555.6666
switchport port-security mac-address 7777.8888.9999
switchport port-security mac-address 0000.1111.2222
switchport port-security mac-address 3333.4444.5555
switchport port-security mac-address 6666.7777.8888
switchport port-security mac-address 9999.0000.1111
switchport port-security mac-address 2222.3333.4444
switchport port-security mac-address 5555.6666.7777
switchport port-security mac-address 8888.9999.0000
switchport port-security mac-address 1234.5678.9012
switchport port-security mac-address 3456.7890.1234
switchport port-security mac-address 5678.9012.3456
switchport port-security mac-address 7890.1234.5678
switchport port-security mac-address 9012.3456.7890

When i enter these commands on one port it accepts it. The moment I enter this same command on another port on the same switch it says duplicate mac address.
So I tried using a access list.
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
and applied this acl on a interface.

It still does not work. If i connect any other device on this port it gets connected. Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
0
Comment
Question by:iamalpine
  • 8
  • 7
16 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21801662
This is one of the limitations of port security.

What you could do is apply the port security to the port on the switch that connects to the switch for the training room.

The only problem is that when an unauthorized MAC is learned, the port on the upstream switch will go into protect mode and all devices in the classroom will be isolated.
0
 

Author Comment

by:iamalpine
ID: 21803575
This switch is connected to the core via 2 gig fibre ports. I have put port mode violation on protect mode.
Which would mean that for any unauthorized laptop it will block only that laptop or block all ports of the switch. I will try this out tomorrow.
Why does the extended acl does not work. That should work am I doing anything wrong with the acl. I did the following
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
int g1/0/2
access-group allowed in
int g1/0/3
access-group allowed in

do i need to add a deny statement to the acl.so that it blocks anything aprt from these mac addreses.
what other options do i have.I know I wont buy the secure server from cisco. I need to make this work somehow.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21804460
It appears that you're trying to do a VACL (VLAN Access Control List). It uses a completely different syntax.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html
0
Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

 

Author Comment

by:iamalpine
ID: 21804648
no its not a vacl its a extended acl for mac addreses. typically this acl should permit only what is in it and deny all others. but it does not do that.it allows all hosts to connect.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21804770
So what is the g1/0/2 and g1/0/3 interface connected to?
0
 

Author Comment

by:iamalpine
ID: 21809914
those are just interfaces where the desktops are connected. the switches have all gig ports.
0
 

Author Comment

by:iamalpine
ID: 21811486
i checked this if port violation is put on protect mode and a new deivce is connected it block all. till the port is shut down and started again. is there any solution to my query. or is Cisco ACS the only answer.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21811588
No. Another solution would be 802.1x with ACS
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21854806
Question was asked and answered.
0
 

Author Comment

by:iamalpine
ID: 21856025
my questions is as given below
Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
my purpose didnt get solved. but if you still think that i should award you points for something which has not happened i will do that.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21856420
>Is there a way to do what i want via the IOS only.
>My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room.

I provided a couple possible solutions. Just because you don't like the answers doesn't mean it's not an answer.

I still think closest solution is to use port security on the upstream switch, statically define the 12 MAC addresses and use "protect" on a violation. It still won't keep the unauthorized PC from communicating with the other 12 devices, but that's the best you're going to get without an external solution.
0
 

Author Comment

by:iamalpine
ID: 21856937
as i said it did not sort the problem i had. i had also got these details from the cisco site.but since you are so true and think you deserve the points here you go.
i practically tried the solutions which you gave me. my question was to do port security based on mac address. you suggest me securing one port and using that as uplink.
anyways no more comments you have been awarded the points for something that did not work for me.
thanks for trying to help anyways
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 800 total points
ID: 21857078
Don't award the points if you don't feel the question was answered.

But consider what will happen when the next time you or someone else asks a question on how to do something. If we don't get acknowledgment for responding that it can't be done and we don't respond at all, what will the asker think? That nobody knows how to do it? That nobody has seen the question?

What will no response achieve?

Maybe next time, you can post "if it can't be done, please don't tell me" at the end of your question?

0
 

Accepted Solution

by:
iamalpine earned 0 total points
ID: 21862693
I think we should close this question.Donjohnston seems to be a expert at answering and i agree he has helped me. please award the points which I have already done and close this question.
One thing to be remembered is there are many such tech support sites. I come to experts exchange only becasue i get good solutions and not half baked ones. I guess next time onwards I will do what don has said and go to some other providers for queries. Attitude does not go down well.with consumers. In the end it is a consumer oriented world.if you dont get what you wnat you dont buy. as simple as that.
0
 

Author Comment

by:iamalpine
ID: 23334059
satisfied
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I eventually solved a perplexing problem setting up telnet for a new switch.  I installed a new Cisco WS-03560X-24P switch connected to an existing Cisco 4506 running a WS-X4013-10GE Sup II-Plus. After configuring vlans and trunking,  I could no…
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
This course is ideal for IT System Administrators working with VMware vSphere and its associated products in their company infrastructure. This course teaches you how to install and maintain this virtualization technology to store data, prevent vuln…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question