07-19-2007 08:21 PM - edited 03-05-2019 05:24 PM
Can I limit the port access of a Cisco catalyst 2950 switch to particular MAC addresses only?
If so, how to configure it?
07-19-2007 08:56 PM
HI, [PLS Rate if HELPS]
Cisco Switches has got a feature of Port-Security. By which you can associate a MAC Address of a PC to the Switch Port.
By which you can maintaing the Security. If any Security Violation followed means you can instruct the Switch to take Violation actions like shutdown or protect port immediately. So after Violation actions taken by Switch, only a Authorised Network Administrator can re-enable the port manually by issueing "no shutdown" command under the interface configuration mode.
Below are the Steps: Configuring Port Security on Interface:
Router(config)#interface interface_id
Router(config-if)#switchport mode access
Router(config-if)#switchport port-security
Router(config-if)#switchport port-security mac-address mac_address
Router(config-if)#switchport port-security violation {protec | restrict | shutdown}
Router#show port-security interface interface_id
Router#show port-security address
Please refer Link below for further assistance on Port-Security Configuration:
Refer Link below for Catalyst 2950 Series Switches Support Page:
http://www.cisco.com/en/US/products/hw/switches/ps628/tsd_products_support_series_home.html
PLS RATE if HELPS
Best Regards,
Guru Prasad R
07-20-2007 03:52 AM
Dear Prasad,
Thanx for the guide. Configuration seems to be ok. But I can connect other PCs (different MAC)
and they are also working. I configured in shutdown mode.
What s the wrong ?? The port belongs to a VLAN which is not the default VLAN. Are there any issues?
Regards,
Kosala
07-20-2007 04:08 AM
Kosala
Can you post your config
Jon
07-24-2007 02:45 AM
Jon,
Here are the configuration of port 19 which is configured.
-------
show run
interface FastEthernet0/19
switchport access vlan 6
switchport mode access
switchport port-security
no ip address
spanning-tree portfast
----------
switch1_idc#show port-security interface fastEthernet 0/19
Port Security : Enabled
Port status : SecureUp
Violation mode : Shutdown
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Aging time : 0 mins
Aging type : Absolute
SecureStatic address aging : Disabled
Security Violation count : 0
-----------------
switch1_idc#show port-security address
Secure Mac Address Table
-------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
6 0011.85ea.3801 SecureDynamic Fa0/19 -
-------------------------------------------------------------------
Total Addresses in System : 1
Max Addresses limit in System : 1024
Kosala
07-24-2007 03:05 AM
Hi Kosala
Your config is working as it is meant to. You have told it only 1 mac-address can be seen on that port at any one time. If you then disconnect the pc and connect another that will also work because it still only sees one mac-address.
This can be useful if you want to stop users connecting hubs etc. to the switch ports.
If you want to tie the port down to one mac-address you could try
1) switchport port-security mac-address "mac-address of host"
2) Try an aging time eg.
switchport port-security aging time 5 type absolute
which means you cant use another mac-address on this port until 5 mins after the last oen was disconnected.
3) try
switchport port-security mac-address sticky
I've not used 3 before but i believe it will take the first mac-address and tie it to the switchport.
HTH
Jon
07-24-2007 03:30 AM
actually 0011.85ea.3801 is the mac-address of host. That's why I wonder how a different MAC communicate.
I tried with sticky also. But result was same ????
interface FastEthernet0/19
switchport access vlan 6
switchport mode access
switchport port-security
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0011.85ea.3801
no ip address
spanning-tree portfast
07-24-2007 06:25 AM
Try
conf t
int f0/19
(conf-if)#no switchport port-security
(conf-if)#no switchport port-security mac-address sticky
(conf-if)#no switchport port-security mac-address sticky 0011.85ea.3801
(conf-if)#shut
(conf-if)#switchport port-security
(conf-if)#switchport port-security mac-address sticky
(conf-if)#no shut
(conf-if)#do sh run int f0/19
Now the mac of first device that's plugged on that port (before doing a no shut)will be
learned on that port.
You can try replacing it with some other device.The fa port will should surely go under err-disable state.
Pl rate if this helps.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: