Limit ports access for particular MAC addresses only

Unanswered Question
Jul 19th, 2007

Can I limit the port access of a Cisco catalyst 2950 switch to particular MAC addresses only?

If so, how to configure it?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
Loading.
guruprasadr Thu, 07/19/2007 - 20:56

HI, [PLS Rate if HELPS]

Cisco Switches has got a feature of Port-Security. By which you can associate a MAC Address of a PC to the Switch Port.

By which you can maintaing the Security. If any Security Violation followed means you can instruct the Switch to take Violation actions like shutdown or protect port immediately. So after Violation actions taken by Switch, only a Authorised Network Administrator can re-enable the port manually by issueing "no shutdown" command under the interface configuration mode.

Below are the Steps: Configuring Port Security on Interface:

Router(config)#interface interface_id

Router(config-if)#switchport mode access

Router(config-if)#switchport port-security

Router(config-if)#switchport port-security mac-address mac_address

Router(config-if)#switchport port-security violation {protec | restrict | shutdown}

Router#show port-security interface interface_id

Router#show port-security address

Please refer Link below for further assistance on Port-Security Configuration:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_14_ea1/configuration/guide/swtrafc.html#wp1038501

Refer Link below for Catalyst 2950 Series Switches Support Page:

http://www.cisco.com/en/US/products/hw/switches/ps628/tsd_products_support_series_home.html

PLS RATE if HELPS

Best Regards,

Guru Prasad R

kosalasuranjith Fri, 07/20/2007 - 03:52

Dear Prasad,

Thanx for the guide. Configuration seems to be ok. But I can connect other PCs (different MAC)

and they are also working. I configured in shutdown mode.

What s the wrong ?? The port belongs to a VLAN which is not the default VLAN. Are there any issues?

Regards,

Kosala

kosalasuranjith Tue, 07/24/2007 - 02:45

Jon,

Here are the configuration of port 19 which is configured.

-------

show run

interface FastEthernet0/19

switchport access vlan 6

switchport mode access

switchport port-security

no ip address

spanning-tree portfast

----------

switch1_idc#show port-security interface fastEthernet 0/19

Port Security : Enabled

Port status : SecureUp

Violation mode : Shutdown

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Aging time : 0 mins

Aging type : Absolute

SecureStatic address aging : Disabled

Security Violation count : 0

-----------------

switch1_idc#show port-security address

Secure Mac Address Table

-------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

6 0011.85ea.3801 SecureDynamic Fa0/19 -

-------------------------------------------------------------------

Total Addresses in System : 1

Max Addresses limit in System : 1024

Kosala

Jon Marshall Tue, 07/24/2007 - 03:05

Hi Kosala

Your config is working as it is meant to. You have told it only 1 mac-address can be seen on that port at any one time. If you then disconnect the pc and connect another that will also work because it still only sees one mac-address.

This can be useful if you want to stop users connecting hubs etc. to the switch ports.

If you want to tie the port down to one mac-address you could try

1) switchport port-security mac-address "mac-address of host"

2) Try an aging time eg.

switchport port-security aging time 5 type absolute

which means you cant use another mac-address on this port until 5 mins after the last oen was disconnected.

3) try

switchport port-security mac-address sticky

I've not used 3 before but i believe it will take the first mac-address and tie it to the switchport.

HTH

Jon

kosalasuranjith Tue, 07/24/2007 - 03:30

actually 0011.85ea.3801 is the mac-address of host. That's why I wonder how a different MAC communicate.

I tried with sticky also. But result was same ????

interface FastEthernet0/19

switchport access vlan 6

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0011.85ea.3801

no ip address

spanning-tree portfast

rahul.handa Tue, 07/24/2007 - 06:25

Try

conf t

int f0/19

(conf-if)#no switchport port-security

(conf-if)#no switchport port-security mac-address sticky

(conf-if)#no switchport port-security mac-address sticky 0011.85ea.3801

(conf-if)#shut

(conf-if)#switchport port-security

(conf-if)#switchport port-security mac-address sticky

(conf-if)#no shut

(conf-if)#do sh run int f0/19

Now the mac of first device that's plugged on that port (before doing a no shut)will be

learned on that port.

You can try replacing it with some other device.The fa port will should surely go under err-disable state.

Pl rate if this helps.

Actions

This Discussion