12-03-2008 01:44 PM - edited 03-06-2019 02:48 AM
I have few cisco switches (1 3524 and the others are 2950's) in my network.
I have a list of all the MAC addresses of all my servers and desktops in my office (there are about 400 MAC addresses).
I want to setup an ACL so that only those MAC addresses will be allowed on the switch. This way no one will be able to connect their personal laptops on the network, the switch will not accept any data from these bad laptops.
Now I dont mind doing a port by port thing, ie., I dont mind saying that x MAC address is allowed access only on y port on z switch. Or I dont mind a single list which contains all the MACs and all these switches refer to this list.
I have basic knowledge of router and switch setup, so please be kind!
Any help provided is very much appreciated.
Thanks
Dee
Solved! Go to Solution.
12-04-2008 10:21 AM
Hello Dilip,
your 3524 and 2950 are IOS based switches.
CatOS switches are/were C6500, C5500, C4000, C4500. C6500 and C4500 now use IOS C5500 are end of sale but still used so should be for C4000.
a catos device has commands like
set vlan 5 4/1
ports have no name, you don't use config t to configure just to say few things
Hope to help
Giuseppe
12-03-2008 02:54 PM
Hi,
Unfortunately, you are very much limited by your 3524 switch in this scenario as it doesn't really support many features you need to implement something like this.
Firstly, MAC ACLs won't really help here because they only work on NON-IP traffic.
Your best solution would be port-security (again, only supported on the 2950s). This will shut the port down when a different MAC is detected on the interface
E.G.
Switch(config)# interface fastethernet0/1
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security mac-address 0000.0000.4141
12-03-2008 04:21 PM
Can you suggest some other alternatives?
For example can this be achieved using some software?
Or can you suggest similar cisco 1U switches which can do this for me in an easier way?
Thanks
Dee
12-03-2008 04:46 PM
The only other alternative would be 802.1x with Mac auth bypass. However, this would require you to set up a radius server to validate the mac addresses. This is supported on 2960s/3550s/3560s/3750s which are 1U.
This is by far the most secure and scalable solution to what you want, and is what is deployed in large networks for securing access ports.
The precursor to 802.1x is VMPS. However, the only devices to support the VMPS server are CatOS switches, so I don't think this would be viable.
12-03-2008 05:05 PM
Thank you for your insight, I will run this by my manager! Thanks again!
12-04-2008 09:26 AM
The 3524 and 2950's that I have, dont they have CatOS? This is what it shows me. Or is CatOS something totally different? Was is a special OS available only on certain models of switches?
Cisco3524#sh version
Cisco Internetwork Operating System Software
IOS (tm) C3500XL Software (C3500XL-C3H2S-M), Version 12.0(5.2)XU
12-04-2008 10:21 AM
Hello Dilip,
your 3524 and 2950 are IOS based switches.
CatOS switches are/were C6500, C5500, C4000, C4500. C6500 and C4500 now use IOS C5500 are end of sale but still used so should be for C4000.
a catos device has commands like
set vlan 5 4/1
ports have no name, you don't use config t to configure just to say few things
Hope to help
Giuseppe
12-05-2008 04:16 AM
Hi
And also Cisco 3750
HTH
DAk
12-05-2008 04:28 AM
You can run a VMPS database on Linux with freeware. No need for CatOS box.
Mats
12-05-2008 05:47 AM
How can I setup this? What all is required? Can you provide some more details? Are you talking about freeNAC?
12-05-2008 07:30 AM
Hi,
I am talking about VMPS. Read the Cisco manual
and use a Linux and freeware for the database.
Google for freeware.
Regards
Mats
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide