• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 411
  • Last Modified:

How do i apply multiple mac addresses on multiple ports for port security.

I have got a training room which has got 12 network points. I need to ensure that these 12 network points provide connectivity only to 12 desktops and 5 laptops. Any desktop or any laptops can connect on any of these 12 points. i tried the following
switchport port-security maximum 16
switchport port-security
switchport port-security violation protect
switchport port-security mac-address 1111.2222.3333
switchport port-security mac-address 4444.5555.6666
switchport port-security mac-address 7777.8888.9999
switchport port-security mac-address 0000.1111.2222
switchport port-security mac-address 3333.4444.5555
switchport port-security mac-address 6666.7777.8888
switchport port-security mac-address 9999.0000.1111
switchport port-security mac-address 2222.3333.4444
switchport port-security mac-address 5555.6666.7777
switchport port-security mac-address 8888.9999.0000
switchport port-security mac-address 1234.5678.9012
switchport port-security mac-address 3456.7890.1234
switchport port-security mac-address 5678.9012.3456
switchport port-security mac-address 7890.1234.5678
switchport port-security mac-address 9012.3456.7890

When i enter these commands on one port it accepts it. The moment I enter this same command on another port on the same switch it says duplicate mac address.
So I tried using a access list.
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
and applied this acl on a interface.

It still does not work. If i connect any other device on this port it gets connected. Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
0
iamalpine
Asked:
iamalpine
  • 8
  • 7
2 Solutions
 
Don JohnstonInstructorCommented:
This is one of the limitations of port security.

What you could do is apply the port security to the port on the switch that connects to the switch for the training room.

The only problem is that when an unauthorized MAC is learned, the port on the upstream switch will go into protect mode and all devices in the classroom will be isolated.
0
 
iamalpineAuthor Commented:
This switch is connected to the core via 2 gig fibre ports. I have put port mode violation on protect mode.
Which would mean that for any unauthorized laptop it will block only that laptop or block all ports of the switch. I will try this out tomorrow.
Why does the extended acl does not work. That should work am I doing anything wrong with the acl. I did the following
mac access-list extended allowed
permit host 1234.5678.9012 any
permit host 3456.7890.1234
int g1/0/2
access-group allowed in
int g1/0/3
access-group allowed in

do i need to add a deny statement to the acl.so that it blocks anything aprt from these mac addreses.
what other options do i have.I know I wont buy the secure server from cisco. I need to make this work somehow.
0
 
Don JohnstonInstructorCommented:
It appears that you're trying to do a VACL (VLAN Access Control List). It uses a completely different syntax.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SXF/native/configuration/guide/vacl.html
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
iamalpineAuthor Commented:
no its not a vacl its a extended acl for mac addreses. typically this acl should permit only what is in it and deny all others. but it does not do that.it allows all hosts to connect.
0
 
Don JohnstonInstructorCommented:
So what is the g1/0/2 and g1/0/3 interface connected to?
0
 
iamalpineAuthor Commented:
those are just interfaces where the desktops are connected. the switches have all gig ports.
0
 
iamalpineAuthor Commented:
i checked this if port violation is put on protect mode and a new deivce is connected it block all. till the port is shut down and started again. is there any solution to my query. or is Cisco ACS the only answer.
0
 
Don JohnstonInstructorCommented:
No. Another solution would be 802.1x with ACS
0
 
Don JohnstonInstructorCommented:
Question was asked and answered.
0
 
iamalpineAuthor Commented:
my questions is as given below
Is there a way to do what i want via the IOS only.
My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room. Apart from these none other should get connected.
my purpose didnt get solved. but if you still think that i should award you points for something which has not happened i will do that.
0
 
Don JohnstonInstructorCommented:
>Is there a way to do what i want via the IOS only.
>My aim is to allow 16 desktops+ laptops to connect to any of the 12 ports in my training room.

I provided a couple possible solutions. Just because you don't like the answers doesn't mean it's not an answer.

I still think closest solution is to use port security on the upstream switch, statically define the 12 MAC addresses and use "protect" on a violation. It still won't keep the unauthorized PC from communicating with the other 12 devices, but that's the best you're going to get without an external solution.
0
 
iamalpineAuthor Commented:
as i said it did not sort the problem i had. i had also got these details from the cisco site.but since you are so true and think you deserve the points here you go.
i practically tried the solutions which you gave me. my question was to do port security based on mac address. you suggest me securing one port and using that as uplink.
anyways no more comments you have been awarded the points for something that did not work for me.
thanks for trying to help anyways
0
 
Don JohnstonInstructorCommented:
Don't award the points if you don't feel the question was answered.

But consider what will happen when the next time you or someone else asks a question on how to do something. If we don't get acknowledgment for responding that it can't be done and we don't respond at all, what will the asker think? That nobody knows how to do it? That nobody has seen the question?

What will no response achieve?

Maybe next time, you can post "if it can't be done, please don't tell me" at the end of your question?

0
 
iamalpineAuthor Commented:
I think we should close this question.Donjohnston seems to be a expert at answering and i agree he has helped me. please award the points which I have already done and close this question.
One thing to be remembered is there are many such tech support sites. I come to experts exchange only becasue i get good solutions and not half baked ones. I guess next time onwards I will do what don has said and go to some other providers for queries. Attitude does not go down well.with consumers. In the end it is a consumer oriented world.if you dont get what you wnat you dont buy. as simple as that.
0
 
iamalpineAuthor Commented:
satisfied
0

Featured Post

[Webinar On Demand] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

  • 8
  • 7
Tackle projects and never again get stuck behind a technical roadblock.
Join Now