Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
336
Views
0
Helpful
2
Replies

Port-security question

sdavids5670
Level 2
Level 2

‎12-12-2008 10:31 AM - edited ‎03-06-2019 02:57 AM

I'd like to know if it is possible, via port-security, to block access to a system based on a MAC address range. In this particular instance, a client of mine wants to prevent patients from bring in gaming consoles (such as PS3 or XBox). However, these patients are allowed to bring in laptops. The prefix for Sony Computer Entertainment is 00041F and Microsoft uses 0050F2 for the XBox so is there a way to say, with port-security, do not allow any MAC beginning with 00:04:1F or 00:50:F2?

Labels:
0 Helpful
2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

‎12-12-2008 11:52 AM

AFAIK I don't think you can do that, but you could use a MAC based ACL. They would be able to connect, but wouldn't get anywhere.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Hope that helps.

0 Helpful

cedar_lee
Level 1
Level 1
In response to Collin Clark

‎12-12-2008 01:45 PM

I think MAC ACL applied to Vlan interface will work as long as the network admin gets all the patients laptops MAC registered.

And under the same presumtion, you could use port-security feature as well. That means you have to register the laptops MAC and permit them on each switch port.

If the number of the switch ports for the patients is very small, I would try to use port-security feature as the following:

1. Enable errdisable recovery cause psecure-violation

2. Enable the port-security feature on an interface:

switch(config-if)#switchport port-security

switch(config-if)#switchport port-security maximum 1

switch(config-if)#switchport port-security mac-address sticky

3. Plug your laptop to an interface and let the switch learns your laptop MAC

4. Copy and paste the config of this switch port to other switch ports

5. when a new patient need access, increase the maximum number by 1 each time, such as for the first patient

switch(config-if)#switchport port-security maximum 2

6. plug the patient's laptop to the switch port

7. copy and paste the config of this switch port to other ports if needed

8. repeat 5 to 8

It sounds not convinient because you need to spend the time to build the MAC list even the switch learn it automatically.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swtrafc.html#wp1038501

I am looking forward to hearing if any one knows a better solution. For example, can the switch auto matically learn the MAC and save them to the MAC table. A ACL applies to a Vlan interface or each switch port to only allow the laptops with the MAC listed on the switch MAC table.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card