DHCP and Port Security

Unanswered Question
Nov 26th, 2007
User Badges:

Hello everybody,

i've configured port security on a Catalyst 3750 inluding 12.2(40)SE as followed:

mac access-list extended PermitMAC

permit host xxxx.xxxx.xxxx any


interface GigabitEthernet1/0/1

switchport access vlan 11

switchport mode access

mac access-group PermitMAC in

spanning-tree portfast

Current situation:

If i connect a notebook with the MAC-address yyyy.yyyy.yyyy to the interface Gi1/0/1, the notebook

gets a IP-address from the DHCP-Server which is located in the same segment as interface Gi1/0/1.

My expectation was:

The client shouldn't get any IP-Adress because the DHCP request from the client contains the MAC source

address which doesn't match the allowed list "PermitMAC".


Does anyone knows why the client even gets a IP-Address from the DHCP Server ?

Thank you very much in advance and

kind regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ccbootcamp Mon, 11/26/2007 - 22:06
User Badges:
  • Gold, 750 points or more

Same segment as the Gi1/0/1 interface? I think you just answered the question...(or at least it looks like you did). If it's on the same segment, it's not "going through" the Gi1/0/1 interface. Maybe I'm missing something here?

What are the device(s) between the notebook and the DHCP server?



gerbers Tue, 11/27/2007 - 01:42
User Badges:

Hi Brad,

attached you find the setup. I double checked the situation with the customer. The DHCP-Server is NOT in the same VLAN as the notebook. On VLAN 11 interfaces within Switch 1 & Switch 2 the ip-helper address of the DHCP-Server is configured.

As i would expect Switch 2 shouldn't get access to the notebook because the MAC Address of the notebook isn't configured as a preferred device within the extended access-list "PermitMAC".

But the Notebook gets a IP-Adress from the DHCP Server.

Do you have any idea why ?

kind regards


gerbers Fri, 12/07/2007 - 00:34
User Badges:

Hello everybody,

does nobody have any idea about that issue ?



Kevin Dorrell Fri, 12/07/2007 - 04:33
User Badges:
  • Green, 3000 points or more

As far as I am aware, the MAC access-list applies only to non-IP traffic. (IPX, Apple, etc.) DHCP is effectively IP traffic, so is not filtered by the access list.

If you really want to restrict the MAC address, do so using the normal port-security system, with a static mapping and one MAC only allowed.

Kevin Dorrell


gerbers Fri, 12/07/2007 - 05:49
User Badges:

Hi Kevin,

thanks a lot for your feedback. Situation is all other IP-Traffic is blocked by this MAC access-List. In fact the default-gateway for that client is not reachable via ICMP.

Nevertheless I will try it with the normal port-security system.

Kind Regards


Kevin Dorrell Fri, 12/07/2007 - 06:36
User Badges:
  • Green, 3000 points or more


In that case I am very puzzled because the documentation is quite clear that "You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs."


Are you sure it is not something else that is filtering your traffic, indicating some other problem?

Kevin Dorrell


gerbers Fri, 12/07/2007 - 06:51
User Badges:

Hi Kevin,

yes I'm pretty sure that no other device is blocking that traffic. As you can see in the attachement in the 2nd reply to this conversation there is no device in between.

Maybe it's a question of interpretation; you can filter non-IPv4 traffic doesn't mean you can not filter IPv4 traffic does it ?

Kind regards and have a nice weekend


a.cruea1980 Fri, 12/07/2007 - 07:00
User Badges:
  • Bronze, 100 points or more

I'm just curious why you're doing it this way as opposed to just setting up the interface with port security max-addresses and shutting down the interface if a non-allowed MAC is detected?

gerbers Mon, 12/10/2007 - 00:51
User Badges:

Hi Adam,

i tried to setting up the interface with port security. The problem i have is to setting up more than one port with the same secrue MAC-addresses.


Several Ports are assigned to some meeting rooms where just dedicated notebooks should get access.

If i try to setup the same secure MAC-address to a interface i get following message;

Cat3750G(config-if)# switchport port-security mac-address 000b.xxxx.xxxx

Found duplicate mac-address 000b.xxxx.xxxx.

Does anybody have any idea how i can solve that issue ?

Kind Regards



This Discussion