Solved

How do i apply multiple mac addresses on multiple ports for port security.

Posted on 2008-06-17
16
394 Views
Last Modified: 2009-01-14
I have got a training room which has got 12 network points. I need to ensure that these 12 network points provide connectivity only to 12 desktops and 5 laptops. Any desktop or any laptops can connect on any of these 12 points. i tried the following
switchport port-security maximum 16
switchport port-security
switchport port-security violation protect
switchport port-security mac-address 1111.2222.3333
switchport port-security mac-address 4444.5555.6666
switchport port-security mac-address 7777.8888.9999
switchport port-security mac-address 0000.1111.2222
switchport port-security mac-address 3333.4444.5555
switchport port-security mac-address 6666.7777.8888
switchport port-security mac-address 9999.0000.1111
switchport port-security mac-address 2222.3333.4444
switchport port-security mac-address 5555.6666.7777
switchport port-security mac-address 8888.9999.0000
switchport port-security mac-address 1234.5678.9012
switchport port-security mac-address 3456.7890.1234
switchport port-security mac-address 5678.9012.3456
switchport port-security mac-address 7890.1234.5678
switchport port-security mac-address 9012.3456.7890

When i enter these commands on one port it accepts it. The moment I enter this same command on another port on the same switch it says duplicate mac address.
So I tried using a access list.
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
and applied this acl on a interface.

It still does not work. If i connect any other device on this port it gets connected. Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
0
Comment
Question by:iamalpine
  • 8
  • 7
16 Comments
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21801662
This is one of the limitations of port security.

What you could do is apply the port security to the port on the switch that connects to the switch for the training room.

The only problem is that when an unauthorized MAC is learned, the port on the upstream switch will go into protect mode and all devices in the classroom will be isolated.
0
 

Author Comment

by:iamalpine
ID: 21803575
This switch is connected to the core via 2 gig fibre ports. I have put port mode violation on protect mode.
Which would mean that for any unauthorized laptop it will block only that laptop or block all ports of the switch. I will try this out tomorrow.
Why does the extended acl does not work. That should work am I doing anything wrong with the acl. I did the following
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
int g1/0/2
access-group allowed in
int g1/0/3
access-group allowed in

do i need to add a deny statement to the acl.so that it blocks anything aprt from these mac addreses.
what other options do i have.I know I wont buy the secure server from cisco. I need to make this work somehow.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21804460
It appears that you're trying to do a VACL (VLAN Access Control List). It uses a completely different syntax.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html
0
 

Author Comment

by:iamalpine
ID: 21804648
no its not a vacl its a extended acl for mac addreses. typically this acl should permit only what is in it and deny all others. but it does not do that.it allows all hosts to connect.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21804770
So what is the g1/0/2 and g1/0/3 interface connected to?
0
 

Author Comment

by:iamalpine
ID: 21809914
those are just interfaces where the desktops are connected. the switches have all gig ports.
0
 

Author Comment

by:iamalpine
ID: 21811486
i checked this if port violation is put on protect mode and a new deivce is connected it block all. till the port is shut down and started again. is there any solution to my query. or is Cisco ACS the only answer.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 50

Expert Comment

by:Don Johnston
ID: 21811588
No. Another solution would be 802.1x with ACS
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21854806
Question was asked and answered.
0
 

Author Comment

by:iamalpine
ID: 21856025
my questions is as given below
Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
my purpose didnt get solved. but if you still think that i should award you points for something which has not happened i will do that.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 21856420
>Is there a way to do what i want via the IOS only.
>My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room.

I provided a couple possible solutions. Just because you don't like the answers doesn't mean it's not an answer.

I still think closest solution is to use port security on the upstream switch, statically define the 12 MAC addresses and use "protect" on a violation. It still won't keep the unauthorized PC from communicating with the other 12 devices, but that's the best you're going to get without an external solution.
0
 

Author Comment

by:iamalpine
ID: 21856937
as i said it did not sort the problem i had. i had also got these details from the cisco site.but since you are so true and think you deserve the points here you go.
i practically tried the solutions which you gave me. my question was to do port security based on mac address. you suggest me securing one port and using that as uplink.
anyways no more comments you have been awarded the points for something that did not work for me.
thanks for trying to help anyways
0
 
LVL 50

Assisted Solution

by:Don Johnston
Don Johnston earned 200 total points
ID: 21857078
Don't award the points if you don't feel the question was answered.

But consider what will happen when the next time you or someone else asks a question on how to do something. If we don't get acknowledgment for responding that it can't be done and we don't respond at all, what will the asker think? That nobody knows how to do it? That nobody has seen the question?

What will no response achieve?

Maybe next time, you can post "if it can't be done, please don't tell me" at the end of your question?

0
 

Accepted Solution

by:
iamalpine earned 0 total points
ID: 21862693
I think we should close this question.Donjohnston seems to be a expert at answering and i agree he has helped me. please award the points which I have already done and close this question.
One thing to be remembered is there are many such tech support sites. I come to experts exchange only becasue i get good solutions and not half baked ones. I guess next time onwards I will do what don has said and go to some other providers for queries. Attitude does not go down well.with consumers. In the end it is a consumer oriented world.if you dont get what you wnat you dont buy. as simple as that.
0
 

Author Comment

by:iamalpine
ID: 23334059
satisfied
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

The worst thing when starting a new job is when the previous Network Administrator left behind no documentation. How do you get into the devices? If you've been in this situation or just accidently mistyped your password, this article will hopefully…
This tutorial will go through the steps required to write a script that will back up the configuration settings of a HP-ProCurve switch. You will need to get the following things to follow this tutorial: Telnet Scripting Tool e.g. TST10.exe …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now