Help with Port Security and MAC addresses

Answered Question
Aug 24th, 2009
User Badges:
  • Blue, 1500 points or more

We are looking at implementing port security and I am looking for a way to accomplish the following.

What we would like to do is prevent someone attaching to a switch that does not have a MAC Address that matches our list of MAC Addresses.

I need the users to be able to move around the office and gain access so the MAC address should not be locked down to a specific port.

The port should be shutdown if there is a violation.


How can I accomplish this.


I thought of Port security Dynamic learning and max amount of MAC addresses but it would allow someone to just attach and go because there is no restriction on the MAC address, and sticky would not work because we need the users to be able to move around the office.

Also, 802.1x port authentication would be OK but it would have to be reconfigured if a device is moved.


Can I use a ACL globally and restrict based on a list of MAC Addresses?


Any direction and help would be greatly appreciated.


Mike

Correct Answer by Yudong Wu about 7 years 10 months ago

you just need one vlan filter command:

vlan filter ALLOWED_MACs vlan-list 1 , 3 , 5 , 101 , 201

Correct Answer by Yudong Wu about 7 years 10 months ago

Well, I don't think locking down network access by using MAC address is a good idea.


But if you would like to do it this way, you can use MAC ACL to realize it.


Here is just a example.

http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (5 ratings)
Loading.
burleyman Mon, 08/24/2009 - 09:42
User Badges:
  • Blue, 1500 points or more

Thanks I was looking into a MAC ACL type thing.


What would you recommend to lock down access to the switch?


Mike

burleyman Mon, 08/24/2009 - 09:52
User Badges:
  • Blue, 1500 points or more

I get a forbidden file when I try that link. Can you post the document?



Mike

burleyman Mon, 08/24/2009 - 11:16
User Badges:
  • Blue, 1500 points or more

It would be nice to get a NAC but I know it is not in the budget for this year.


Lets see if I got this right. What I have is a list of MAC addresses that I want to "Allow" to connect to our switchports and anything other than the listed MAC addresses should be dropped and/or have the port disable. The switch is a Catalyst 3560 and I do have the following VLANs defined. VLAN1 is the VLAN for all network gear, VLAN3 is for Servers, VLAN5 is for Printers, VLAN101 is for Data (PC's), and VLAN201 is for VoIP. Would the following config work for what I would like to acomplish.


mac access-list extended ALLOWED_MACs_VL3

permit host 0000.861f.3a45

permit host 0000.861f.3745

permit host 0000.861f.3641

permit host 0000.861f.2134

-Keep going with the MAC addresses I want to allow---


vlan access-map ALLOWED_MACs 10

action allow

match mac address ALLOWED_MACs_VL3

vlan access-map ALLOWED_MACs 20

action drop


vlan filter ALLOWED_MACs vlan-list 3


and do this for each VLAN....



Thanks for your help.


Mike

Yudong Wu Mon, 08/24/2009 - 11:32
User Badges:
  • Gold, 750 points or more

Config looks good.

You'd better to test it before implementing it to the production switch.

Don't forget to include MAC of default gateway in each vlan.

burleyman Mon, 08/24/2009 - 11:47
User Badges:
  • Blue, 1500 points or more

Thank.


Now could I just do this instead?


mac access-list extended ALLOWED_MACs_VL3

permit host 0000.861f.3a45

permit host 0000.861f.3745

permit host 0000.861f.3641

permit host 0000.861f.2134

-Keep going with the MAC addresses I want to allow---


access-map ALLOWED_MACs 10

action allow

match mac address ALLOWED_MACs_VL3

access-map ALLOWED_MACs 20

action drop



and not have them seperate for each VLAN?



Mike

Yudong Wu Mon, 08/24/2009 - 11:59
User Badges:
  • Gold, 750 points or more

You can have a MAC ACL which include permitted mac address in all vlans and then use it in vlan-map. You can then apply this vlan-map to multiple vlans.

burleyman Mon, 08/24/2009 - 12:06
User Badges:
  • Blue, 1500 points or more

Oh...so it would be like this.....


mac access-list extended ALLOWED_MACs_VL3

permit host 0000.861f.3a45

permit host 0000.861f.3745

permit host 0000.861f.3641

permit host 0000.861f.2134

-Keep going with the MAC addresses I want to allow---


vlan access-map ALLOWED_MACs 10

action allow

match mac address ALLOWED_MACs_VL3

vlan access-map ALLOWED_MACs 20

action drop


vlan filter ALLOWED_MACs vlan-list 1

vlan filter ALLOWED_MACs vlan-list 3

vlan filter ALLOWED_MACs vlan-list 5

vlan filter ALLOWED_MACs vlan-list 101

vlan filter ALLOWED_MACs vlan-list 201



Mike

Correct Answer
Yudong Wu Mon, 08/24/2009 - 12:10
User Badges:
  • Gold, 750 points or more

you just need one vlan filter command:

vlan filter ALLOWED_MACs vlan-list 1 , 3 , 5 , 101 , 201

burleyman Mon, 08/24/2009 - 12:17
User Badges:
  • Blue, 1500 points or more

Thanks for all your help.


Mike

burleyman Fri, 08/28/2009 - 12:46
User Badges:
  • Blue, 1500 points or more

Kevin,


My boss wanted me to open a TAC case on this to have Cisco double check the config. The Tech said this would not work and I should use dot1q instead. Now I read the documant you sent and it all looks like it should work. Am I missing something? Here is what the tech said....


If you are wanting to deny any traffic at all from these rogue users,

VACLs will not do that. DHCP, ARP, etc will not be looked at my VACLs.

What you really need here for this type of security is dot1x. VACLs only

work on intervlan L2 traffic and not on L3 traffic so it will not

totally block all access. You could statically assign mac-addresses to

the ports but this will be very time consuming and manual.


Can you confirm?


Mike

Yudong Wu Mon, 08/31/2009 - 09:36
User Badges:
  • Gold, 750 points or more

As what I mentioned before, controlling access by using MAC can only provide limited security.

If you implements VLAN map as what we discussed, ARP request from rogue user's PC will be blocked. As a result, it could not communicate to another PC since it could not resolve their mac address by IP. But, if rogue users know the MAC of destination IP, he can configure an arp entry manually and then can communicate with that IP. VLAN MAP w/MAC ACL could not block it.


The best way to understand this is to try it in the lab.


HTH

burleyman Tue, 09/01/2009 - 06:13
User Badges:
  • Blue, 1500 points or more

Thank you for responding. Just so you know I think what you suggested would work but when I opened a TAC case...which they have yet answer my questions since Friday!...they said it would not work but did not explain why. They wanted to do dot1x. Here is what they said....


If you are wanting to deny any traffic at all from these rogue users,

VACLs will not do that. DHCP, ARP, etc will not be looked at my VACLs.

What you really need here for this type of security is dot1x. VACLs only

work on intervlan L2 traffic and not on L3 traffic so it will not

totally block all access. You could statically assign mac-addresses to

the ports but this will be very time consuming and manual.


I still have the case open so I am contacting them again to find out why the first solution would not work.



Mike

burleyman Mon, 08/24/2009 - 09:56
User Badges:
  • Blue, 1500 points or more

Never mind I changed partner with customer and was able to get to it.


Mike

Actions

This Discussion