Static arp table for a certain port

Unanswered Question
Mar 7th, 2010
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:Arial; mso-bidi-theme-font:minor-bidi;}

Hi all

Is there any way to make a static arp table for my c2960g port g0/1 so the computer only learn mac's that I put manually


Thank you in advance

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Giuseppe Larosa Sun, 03/07/2010 - 03:39
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Amk316316,


you are probably meaning that you want only a specific MAC address to be able to use port g0/1.


What you need here is port security


see


http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/configuration/guide/swtrafc.html#wp1155336



int gi0/1

switchport port-security mac-address xxxx.yyyy.zzzz

! following command is needed to enable port security:

switchport port-security


ARP table is the resolution table of IP addresses to MAC addresses


on a L2 port you can only work on the CAM table (table of MAC addresses vlans and ports where they are seen)


Hope to help

Giuseppe

Ganesh Hariharan Sun, 03/07/2010 - 22:11
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi all

Is there any way to make a static arp table for my c2960g port g0/1 so the computer only learn mac's that I put manually


Thank you in advance

Hi,


Static mac address configuration on switch can be done by switch port security features in cisco switches,before cofiguring switcport security just consider the following guidelines :-


    A secure port cannot be a trunk port.
    A secure port cannot be an 802.1X port.
    A secure port cannot belong to an EtherChannel port-channel interface.
    A secure port and static MAC address configuration are mutually exclusive.
    A secure port cannot be a destination port for Switch Port Analyzer (SPAN).


and check out the below link for step by step command to bind a static mac in interface of switch:-


http://www.ciscosystems.com.pe/en/US/docs/switches/lan/catalyst2950/software/release/12.1_11_ea1/configuration/guide/swtrafc.html#wp1093914


http://www.cisco.com/en/US/docs/switches/lan/catalyst2970/software/release/12.1_14_ea1/configuration/guide/swtrafc.html#wp1038552


Hope to help !!


Remember to rate the helpful post


Ganesh.H

amk316316 Sun, 03/07/2010 - 23:43
User Badges:



/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:Arial; mso-bidi-theme-font:minor-bidi;}

Thank you for your replays

What I did is the fallowing

I connected a server (Blue Coat) to port g0/1 and did the fallowing

Port Security:

*******************

interface GigabitEthernet0/1

switchport mode access

switchport port-security maximum 5

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0014.22f8.20c9 vlan access

*******************

Result was:

The mac addresses I enter were blocked and all others can pass throw

Which is the opposite what I want


ACL:

*******************

mac access-list extended mac-acl
 permit host 0014.22f8.20c9 any
 deny   any any
 
 
interface GigabitEthernet0/1
 mac access-group mac-acl in

*******************

Result was:

Nothing at all, everyone can access the server

Ganesh Hariharan Sun, 03/07/2010 - 23:58
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


Thank you for your replays

What I did is the fallowing

I connected a server (Blue Coat) to port g0/1 and did the fallowing

Port Security:

*******************

interface GigabitEthernet0/1

switchport mode access

switchport port-security maximum 5

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0014.22f8.20c9 vlan access

*******************

Result was:

The mac addresses I enter were blocked and all others can pass throw

Which is the opposite what I want


ACL:

*******************

mac access-list extended mac-acl
 permit host 0014.22f8.20c9 any
 deny   any any
 
 
interface GigabitEthernet0/1
 mac access-group mac-acl in

*******************

Result was:

Nothing at all, everyone can access the server

As per your requirement you want only one mac to be configured in interface manually then do the following configuration at interface level of switch:-


Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.


Sticky secure MAC addresses—These are dynamically configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.


Try the following configuration and check that only one mac is allowing or not !


interface FastEthernet0/2

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address 0000.0000.000b

switchport port-security violation {protect | restrict | shutdown}


Hope to help !!


Ganesh.H

amk316316 Mon, 03/08/2010 - 01:07
User Badges:

I did is the fallowing

*******************

interface GigabitEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0014.22f8.20c9 vlan access

*******************


Result was the same:

The mac  addresses I enter were blocked and all others can pass throw

also the address i enter can't connect to anything in the network i even can't ping the switch


ps:

System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"

Ganesh Hariharan Mon, 03/08/2010 - 02:23
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

I did is the fallowing

*******************

interface GigabitEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0014.22f8.20c9 vlan access


*******************


Result was the same:

The mac  addresses I enter were blocked and all others can pass throw

also the address i enter can't connect to anything in the network i even can't ping the switch


ps:

System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"

Hi,


Can you brief once again what exactly is your requirement as i read the original post mentioned below from this you mean to say you want to change the ASIC port mac-address of the switch which is connected to server,If yes no can't change the mac of ASIC port of switch.


Hi all


Is there any way to make a static arp table for my c2960g port g0/1 so the computer only learn mac's that I put manually




Thank you in advance



Hope to Help !!


Ganesh.H

amk316316 Mon, 03/08/2010 - 03:27
User Badges:

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:Arial; mso-bidi-theme-font:minor-bidi;}

Thank you

I am looking for a way to restrict access to port g0/1 in my 2960g switch, a white list of mac addresses that can acssess the server; I tried Port Security and ACL but no luck, I looked into VMPS but it's too complicated and need a tftp server and so on.


So I thought if I make a static arp table the server in g0/1 read for it my solve my problem


Any other solution is appreciated

Ganesh Hariharan Tue, 03/09/2010 - 23:38
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Thank you

I am looking for a way to restrict access to port g0/1 in my 2960g switch, a white list of mac addresses that can acssess the server; I tried Port Security and ACL but no luck, I looked into VMPS but it's too complicated and need a tftp server and so on.


So I thought if I make a static arp table the server in g0/1 read for it my solve my problem


Any other solution is appreciated


Hi,


Can you try configuring vlan access map with mac address based acl combine and check it is working or not.check out the below link for configuring vlan access map configuration in switches.


http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml


Hope to Help !!


Ganesh.H

amk316316 Tue, 03/09/2010 - 23:25
User Badges:

i did

******************

mac access-list extended ARP_Packet
permit host 0014.22f8.20c9 host 0000.81b5.bbac 0x806 0x0
mac access-list extended block_arp
deny   any any 0x806 0x0



interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access

***************


but when i put this command


ICO(config)#vlan access-map block_arp 10
                                           ^
% Invalid input detected at '^' marker.


((((under the b))))

Ganesh Hariharan Wed, 03/10/2010 - 01:04
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

i did

******************

mac access-list extended ARP_Packet
permit host 0014.22f8.20c9 host 0000.81b5.bbac 0x806 0x0
mac access-list extended block_arp
deny   any any 0x806 0x0




interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access


***************


but when i put this command


ICO(config)#vlan access-map block_arp 10
                                           ^
% Invalid input detected at '^' marker.


((((under the b))))

Hi,


what is the switch model and ios version and when you do vlan access-map ? what command you are able to see


Ganesh.H

amk316316 Wed, 03/10/2010 - 01:08
User Badges:

Its Cisco Catalyst 2960G (WS-C2960G-24TC-L)

ICO#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:49 by sasyamal
Image text-base: 0x00003000, data-base: 0x01500000


ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)


ICO uptime is 1 hour, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"



*************************************

ICO(config)#vlan access-map ?
 


************************************

ICO(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').

Ganesh Hariharan Wed, 03/10/2010 - 01:21
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

ICO#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:49 by sasyamal
Image text-base: 0x00003000, data-base: 0x01500000


ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)


ICO uptime is 1 hour, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"



*************************************

ICO(config)#vlan access-map ?
 


************************************

ICO(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').

Hi,


I think you are switch is not supported for vlan access-map command because if you do vlan ? it should come up with access-map as a command but in your case i hope it will be showing


Switch(config)#vlan ?
  WORD      ISL VLAN IDs 1-4094
  internal  internal VLAN


Hope to help !!


Ganesh.H

Ganesh Hariharan Wed, 03/10/2010 - 01:31
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Its Cisco Catalyst 2960G (WS-C2960G-24TC-L)

ICO#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:49 by sasyamal
Image text-base: 0x00003000, data-base: 0x01500000


ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)


ICO uptime is 1 hour, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"



*************************************

ICO(config)#vlan access-map ?
 


************************************

ICO(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').


Hi,


As you have created a mac based acl just apply this acl in in direction where the mac can initiate a traffic towards the destionation end server mac,followin are the guidelines to use mac based acl in l2 switches.


1) You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets.

2) A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.


and check out the link for mac based acl in l2 switches it should work.


http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_37_se/configuration/guide/swacl.html#wp1629114


Direction of acl is critical just apply in the port as suggested in the begning where traffic is initiated.


Hope to help !!

Actions

This Discussion