08-24-2009 04:32 AM - edited 03-06-2019 07:23 AM
We are looking at implementing port security and I am looking for a way to accomplish the following.
What we would like to do is prevent someone attaching to a switch that does not have a MAC Address that matches our list of MAC Addresses.
I need the users to be able to move around the office and gain access so the MAC address should not be locked down to a specific port.
The port should be shutdown if there is a violation.
How can I accomplish this.
I thought of Port security Dynamic learning and max amount of MAC addresses but it would allow someone to just attach and go because there is no restriction on the MAC address, and sticky would not work because we need the users to be able to move around the office.
Also, 802.1x port authentication would be OK but it would have to be reconfigured if a device is moved.
Can I use a ACL globally and restrict based on a list of MAC Addresses?
Any direction and help would be greatly appreciated.
Mike
Solved! Go to Solution.
08-24-2009 09:08 AM
Well, I don't think locking down network access by using MAC address is a good idea.
But if you would like to do it this way, you can use MAC ACL to realize it.
Here is just a example.
08-24-2009 12:10 PM
you just need one vlan filter command:
vlan filter ALLOWED_MACs vlan-list 1 , 3 , 5 , 101 , 201
08-24-2009 09:08 AM
Well, I don't think locking down network access by using MAC address is a good idea.
But if you would like to do it this way, you can use MAC ACL to realize it.
Here is just a example.
08-24-2009 09:42 AM
Thanks I was looking into a MAC ACL type thing.
What would you recommend to lock down access to the switch?
Mike
08-24-2009 09:52 AM
I get a forbidden file when I try that link. Can you post the document?
Mike
08-24-2009 09:56 AM
It is just an example. You can find more info in configuration guide of related switch.
You can implement NAC to control your network access.
http://www.cisco.com/en/US/products/ps6128/index.html.
08-24-2009 11:16 AM
It would be nice to get a NAC but I know it is not in the budget for this year.
Lets see if I got this right. What I have is a list of MAC addresses that I want to "Allow" to connect to our switchports and anything other than the listed MAC addresses should be dropped and/or have the port disable. The switch is a Catalyst 3560 and I do have the following VLANs defined. VLAN1 is the VLAN for all network gear, VLAN3 is for Servers, VLAN5 is for Printers, VLAN101 is for Data (PC's), and VLAN201 is for VoIP. Would the following config work for what I would like to acomplish.
mac access-list extended ALLOWED_MACs_VL3
permit host 0000.861f.3a45
permit host 0000.861f.3745
permit host 0000.861f.3641
permit host 0000.861f.2134
-Keep going with the MAC addresses I want to allow---
vlan access-map ALLOWED_MACs 10
action allow
match mac address ALLOWED_MACs_VL3
vlan access-map ALLOWED_MACs 20
action drop
vlan filter ALLOWED_MACs vlan-list 3
and do this for each VLAN....
Thanks for your help.
Mike
08-24-2009 11:32 AM
Config looks good.
You'd better to test it before implementing it to the production switch.
Don't forget to include MAC of default gateway in each vlan.
08-24-2009 11:47 AM
Thank.
Now could I just do this instead?
mac access-list extended ALLOWED_MACs_VL3
permit host 0000.861f.3a45
permit host 0000.861f.3745
permit host 0000.861f.3641
permit host 0000.861f.2134
-Keep going with the MAC addresses I want to allow---
access-map ALLOWED_MACs 10
action allow
match mac address ALLOWED_MACs_VL3
access-map ALLOWED_MACs 20
action drop
and not have them seperate for each VLAN?
Mike
08-24-2009 11:59 AM
You can have a MAC ACL which include permitted mac address in all vlans and then use it in vlan-map. You can then apply this vlan-map to multiple vlans.
08-24-2009 12:06 PM
Oh...so it would be like this.....
mac access-list extended ALLOWED_MACs_VL3
permit host 0000.861f.3a45
permit host 0000.861f.3745
permit host 0000.861f.3641
permit host 0000.861f.2134
-Keep going with the MAC addresses I want to allow---
vlan access-map ALLOWED_MACs 10
action allow
match mac address ALLOWED_MACs_VL3
vlan access-map ALLOWED_MACs 20
action drop
vlan filter ALLOWED_MACs vlan-list 1
vlan filter ALLOWED_MACs vlan-list 3
vlan filter ALLOWED_MACs vlan-list 5
vlan filter ALLOWED_MACs vlan-list 101
vlan filter ALLOWED_MACs vlan-list 201
Mike
08-24-2009 12:10 PM
you just need one vlan filter command:
vlan filter ALLOWED_MACs vlan-list 1 , 3 , 5 , 101 , 201
08-24-2009 12:17 PM
Thanks for all your help.
Mike
08-28-2009 12:46 PM
Kevin,
My boss wanted me to open a TAC case on this to have Cisco double check the config. The Tech said this would not work and I should use dot1q instead. Now I read the documant you sent and it all looks like it should work. Am I missing something? Here is what the tech said....
If you are wanting to deny any traffic at all from these rogue users,
VACLs will not do that. DHCP, ARP, etc will not be looked at my VACLs.
What you really need here for this type of security is dot1x. VACLs only
work on intervlan L2 traffic and not on L3 traffic so it will not
totally block all access. You could statically assign mac-addresses to
the ports but this will be very time consuming and manual.
Can you confirm?
Mike
08-31-2009 09:36 AM
As what I mentioned before, controlling access by using MAC can only provide limited security.
If you implements VLAN map as what we discussed, ARP request from rogue user's PC will be blocked. As a result, it could not communicate to another PC since it could not resolve their mac address by IP. But, if rogue users know the MAC of destination IP, he can configure an arp entry manually and then can communicate with that IP. VLAN MAP w/MAC ACL could not block it.
The best way to understand this is to try it in the lab.
HTH
09-01-2009 06:13 AM
Thank you for responding. Just so you know I think what you suggested would work but when I opened a TAC case...which they have yet answer my questions since Friday!...they said it would not work but did not explain why. They wanted to do dot1x. Here is what they said....
If you are wanting to deny any traffic at all from these rogue users,
VACLs will not do that. DHCP, ARP, etc will not be looked at my VACLs.
What you really need here for this type of security is dot1x. VACLs only
work on intervlan L2 traffic and not on L3 traffic so it will not
totally block all access. You could statically assign mac-addresses to
the ports but this will be very time consuming and manual.
I still have the case open so I am contacting them again to find out why the first solution would not work.
Mike
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: