Solved: How to setup MAC based ACL on switches (3524/295x)

catsaretoocute · ‎12-03-2008

I have few cisco switches (1 3524 and the others are 2950's) in my network.

I have a list of all the MAC addresses of all my servers and desktops in my office (there are about 400 MAC addresses).

I want to setup an ACL so that only those MAC addresses will be allowed on the switch. This way no one will be able to connect their personal laptops on the network, the switch will not accept any data from these bad laptops.

Now I dont mind doing a port by port thing, ie., I dont mind saying that x MAC address is allowed access only on y port on z switch. Or I dont mind a single list which contains all the MACs and all these switches refer to this list.

I have basic knowledge of router and switch setup, so please be kind!

Any help provided is very much appreciated.

Thanks

Dee

Giuseppe Larosa · ‎12-04-2008

Hello Dilip,

your 3524 and 2950 are IOS based switches.

CatOS switches are/were C6500, C5500, C4000, C4500. C6500 and C4500 now use IOS C5500 are end of sale but still used so should be for C4000.

a catos device has commands like

set vlan 5 4/1

ports have no name, you don't use config t to configure just to say few things

Hope to help

Giuseppe

View solution in original post

mihanlin · ‎12-03-2008

Hi,

Unfortunately, you are very much limited by your 3524 switch in this scenario as it doesn't really support many features you need to implement something like this.

Firstly, MAC ACLs won't really help here because they only work on NON-IP traffic.

Your best solution would be port-security (again, only supported on the 2950s). This will shut the port down when a different MAC is detected on the interface

E.G.

Switch(config)# interface fastethernet0/1

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security mac-address 0000.0000.4141

catsaretoocute · ‎12-03-2008

Can you suggest some other alternatives?

For example can this be achieved using some software?

Or can you suggest similar cisco 1U switches which can do this for me in an easier way?

Thanks

Dee

mihanlin · ‎12-03-2008

The only other alternative would be 802.1x with Mac auth bypass. However, this would require you to set up a radius server to validate the mac addresses. This is supported on 2960s/3550s/3560s/3750s which are 1U.

This is by far the most secure and scalable solution to what you want, and is what is deployed in large networks for securing access ports.

The precursor to 802.1x is VMPS. However, the only devices to support the VMPS server are CatOS switches, so I don't think this would be viable.

catsaretoocute · ‎12-03-2008

Thank you for your insight, I will run this by my manager! Thanks again!

catsaretoocute · ‎12-04-2008

The 3524 and 2950's that I have, dont they have CatOS? This is what it shows me. Or is CatOS something totally different? Was is a special OS available only on certain models of switches?

Cisco3524#sh version

Cisco Internetwork Operating System Software

IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.2)XU

Giuseppe Larosa · ‎12-04-2008

Hello Dilip,

your 3524 and 2950 are IOS based switches.

CatOS switches are/were C6500, C5500, C4000, C4500. C6500 and C4500 now use IOS C5500 are end of sale but still used so should be for C4000.

a catos device has commands like

set vlan 5 4/1

ports have no name, you don't use config t to configure just to say few things

Hope to help

Giuseppe

Davy Ad · ‎12-05-2008

Hi

And also Cisco 3750

HTH

DAk

mruuth · ‎12-05-2008

You can run a VMPS database on Linux with freeware. No need for CatOS box.

Mats

catsaretoocute · ‎12-05-2008

How can I setup this? What all is required? Can you provide some more details? Are you talking about freeNAC?

mruuth · ‎12-05-2008

Hi,

I am talking about VMPS. Read the Cisco manual

and use a Linux and freeware for the database.

Google for freeware.

Regards

Mats