cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
16745
Views
24
Helpful
7
Replies

Limit ports access for particular MAC addresses only

kosalasuranjith
Level 1
Level 1

Can I limit the port access of a Cisco catalyst 2950 switch to particular MAC addresses only?

If so, how to configure it?

7 Replies 7

guruprasadr
Level 7
Level 7

HI, [PLS Rate if HELPS]

Cisco Switches has got a feature of Port-Security. By which you can associate a MAC Address of a PC to the Switch Port.

By which you can maintaing the Security. If any Security Violation followed means you can instruct the Switch to take Violation actions like shutdown or protect port immediately. So after Violation actions taken by Switch, only a Authorised Network Administrator can re-enable the port manually by issueing "no shutdown" command under the interface configuration mode.

Below are the Steps: Configuring Port Security on Interface:

Router(config)#interface interface_id

Router(config-if)#switchport mode access

Router(config-if)#switchport port-security

Router(config-if)#switchport port-security mac-address mac_address

Router(config-if)#switchport port-security violation {protec | restrict | shutdown}

Router#show port-security interface interface_id

Router#show port-security address

Please refer Link below for further assistance on Port-Security Configuration:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2950/software/release/12.1_14_ea1/configuration/guide/swtrafc.html#wp1038501

Refer Link below for Catalyst 2950 Series Switches Support Page:

http://www.cisco.com/en/US/products/hw/switches/ps628/tsd_products_support_series_home.html

PLS RATE if HELPS

Best Regards,

Guru Prasad R

Dear Prasad,

Thanx for the guide. Configuration seems to be ok. But I can connect other PCs (different MAC)

and they are also working. I configured in shutdown mode.

What s the wrong ?? The port belongs to a VLAN which is not the default VLAN. Are there any issues?

Regards,

Kosala

Kosala

Can you post your config

Jon

Jon,

Here are the configuration of port 19 which is configured.

-------

show run

interface FastEthernet0/19

switchport access vlan 6

switchport mode access

switchport port-security

no ip address

spanning-tree portfast

----------

switch1_idc#show port-security interface fastEthernet 0/19

Port Security : Enabled

Port status : SecureUp

Violation mode : Shutdown

Maximum MAC Addresses : 1

Total MAC Addresses : 1

Configured MAC Addresses : 0

Sticky MAC Addresses : 0

Aging time : 0 mins

Aging type : Absolute

SecureStatic address aging : Disabled

Security Violation count : 0

-----------------

switch1_idc#show port-security address

Secure Mac Address Table

-------------------------------------------------------------------

Vlan Mac Address Type Ports Remaining Age

(mins)

---- ----------- ---- ----- -------------

6 0011.85ea.3801 SecureDynamic Fa0/19 -

-------------------------------------------------------------------

Total Addresses in System : 1

Max Addresses limit in System : 1024

Kosala

Hi Kosala

Your config is working as it is meant to. You have told it only 1 mac-address can be seen on that port at any one time. If you then disconnect the pc and connect another that will also work because it still only sees one mac-address.

This can be useful if you want to stop users connecting hubs etc. to the switch ports.

If you want to tie the port down to one mac-address you could try

1) switchport port-security mac-address "mac-address of host"

2) Try an aging time eg.

switchport port-security aging time 5 type absolute

which means you cant use another mac-address on this port until 5 mins after the last oen was disconnected.

3) try

switchport port-security mac-address sticky

I've not used 3 before but i believe it will take the first mac-address and tie it to the switchport.

HTH

Jon

actually 0011.85ea.3801 is the mac-address of host. That's why I wonder how a different MAC communicate.

I tried with sticky also. But result was same ????

interface FastEthernet0/19

switchport access vlan 6

switchport mode access

switchport port-security

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0011.85ea.3801

no ip address

spanning-tree portfast

Try

conf t

int f0/19

(conf-if)#no switchport port-security

(conf-if)#no switchport port-security mac-address sticky

(conf-if)#no switchport port-security mac-address sticky 0011.85ea.3801

(conf-if)#shut

(conf-if)#switchport port-security

(conf-if)#switchport port-security mac-address sticky

(conf-if)#no shut

(conf-if)#do sh run int f0/19

Now the mac of first device that's plugged on that port (before doing a no shut)will be

learned on that port.

You can try replacing it with some other device.The fa port will should surely go under err-disable state.

Pl rate if this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: