Cisco 3560 port security

I have a Cisco 3560 switch that i want to enable port security on. I have 5 mac addresses that i want to be able to get access through any of the 24 ports. but i want only those 5 macs to be able to get access through the switch.

basically we have POS terminals that that move from port to port.  
Who is Participating?
JumersConnect With a Mentor Author Commented:
It is a limitation on the Cisco switch. You can't add the same mac to more than one port with port security. which is really kind of weird. I ended up doing an ACL for the MACs with a deny statement. Not really what i wanted but it gets the job done.

i copied the setup below. I'm not sure what to do with the points on this one. anyone have any advice?

Cat3750Switch(config)# mac access-list ext filtermac
Cat3750Switch(config-ext-macl)# permit host 0000.0000.0001 any
Cat3750Switch(config-ext-macl)# permit host 0000.0000.0002 any
Cat3750Switch(config-ext-macl)# permit host 0000.0000.0003 any
Cat3750Switch(config-ext-macl)# deny any any
Cat3750Switch(config-ext-macl)# exit
Cat3750Switch(config)# int g1/0/40
Cat3750Switch(config-if)# mac access-group filtermac in
Basically you will need to setup port security on all ports. Each port will need to allow 5 mac addresses and then be configured for each mac address.  You should be able to use the interface range command to simplify.
The below config uses the shutdown option when a violation occurs. this will err-disable the interface when a unknown mac is found requiring you to bring the interface back up manually. Other options are restrict and protect. these to leave the interface up but drop the traffic from that mac. Protect does not log drops and restrict does.

int range f0/1 - 24
switchport port-security
switchport port-security maximum 5
switchport port-security mac-address 1111.1111.1111
switchport port-security mac-address 2222.2222.2222
!you will need a line for ever mac 
switchport port-security violation shutdown

Open in new window

The only other option I know of would be to use VMPS. Basically you setup a VMPS server and have your 3560 point to it as a VMPS client.
basically the VMPS server links to a central file that holds all the allowed mac addresses for each vlan. When a port is brought up on a client switch it polls the server with the mac address to see if it is an acceptable mac and what vlan it should belong to. This is most commonly used for dynamic vlans when the vlan used must follow a user no matter what port or switch they are on.
The only thing is the 3560 does not support being a VMPS server. you will need a 6500 or similar switch to act as a server. You will also need a tftp server to hold the mac address file.
For only 5 macs my first post would be my recommendation.
The IT Degree for Career Advancement

Earn your B.S. in Network Operations and Security and become a network and IT security expert. This WGU degree program curriculum was designed with tech-savvy, self-motivated students in mind – allowing you to use your technical expertise, to address real-world business problems.

JumersAuthor Commented:
I tried to do port security for each port, after i configured the first port the second one told me that it

"Found duplicate mac-address 1111.1111.1111"

its seems like you can't add the same mac to each interface.

is there a way to get around that?
Try configuring all ports at once with the "int range f0/1 - 24" command. This should allow you to enter each mac.
JumersAuthor Commented:
No go, basically gave me multiple errors for duplicate Mac.

wondering if this is just a limitation
i dont have a way to test this right now but i can check tonight when i get home. I also cant find in any docs saying you can/cant have the same mac on multiple interfaces.
re-looking at what you are trying to do. Will these kiosk move a lot or will they stay plugged into the same port for a while?
If they will stay in the same ports then you can just use the "sticky" option or manually configure each mac to its associated port.
Sorry i didnt have time to dig into this last night things came up. I guess if that is a limitation then the ACL will work in blocking traffic from getting out. other devices will still be able to connect to the switch though.
Another option would be to see if your devices support 802.1x. This would be a much better approach.
But if you are fine with what the ACL thats cool. As for points go ahead and just request to accept your last post as the answer with your points refunded.
JumersAuthor Commented:
we have fixe dthis
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.