Static arp table for a certain port

Unanswered Question
Mar 7th, 2010

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:Arial; mso-bidi-theme-font:minor-bidi;}

Hi all

Is there any way to make a static arp table for my c2960g port g0/1 so the computer only learn mac's that I put manually

Thank you in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
Giuseppe Larosa Sun, 03/07/2010 - 03:39

Hello Amk316316,

you are probably meaning that you want only a specific MAC address to be able to use port g0/1.

What you need here is port security

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_46_se/configuration/guide/swtrafc.html#wp1155336

int gi0/1

switchport port-security mac-address xxxx.yyyy.zzzz

! following command is needed to enable port security:

switchport port-security

ARP table is the resolution table of IP addresses to MAC addresses

on a L2 port you can only work on the CAM table (table of MAC addresses vlans and ports where they are seen)

Hope to help

Giuseppe

Ganesh Hariharan Sun, 03/07/2010 - 22:11

Hi all

Is there any way to make a static arp table for my c2960g port g0/1 so the computer only learn mac's that I put manually

Thank you in advance

Hi,

Static mac address configuration on switch can be done by switch port security features in cisco switches,before cofiguring switcport security just consider the following guidelines :-


    A secure port cannot be a trunk port.
    A secure port cannot be an 802.1X port.
    A secure port cannot belong to an EtherChannel port-channel interface.
    A secure port and static MAC address configuration are mutually exclusive.
    A secure port cannot be a destination port for Switch Port Analyzer (SPAN).

and check out the below link for step by step command to bind a static mac in interface of switch:-

http://www.ciscosystems.com.pe/en/US/docs/switches/lan/catalyst2950/software/release/12.1_11_ea1/configuration/guide/swtrafc.html#wp1093914

http://www.cisco.com/en/US/docs/switches/lan/catalyst2970/software/release/12.1_14_ea1/configuration/guide/swtrafc.html#wp1038552

Hope to help !!

Remember to rate the helpful post

Ganesh.H

amk316316 Sun, 03/07/2010 - 23:43

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:Arial; mso-bidi-theme-font:minor-bidi;}

Thank you for your replays

What I did is the fallowing

I connected a server (Blue Coat) to port g0/1 and did the fallowing

Port Security:

*******************

interface GigabitEthernet0/1

switchport mode access

switchport port-security maximum 5

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0014.22f8.20c9 vlan access

*******************

Result was:

The mac addresses I enter were blocked and all others can pass throw

Which is the opposite what I want

ACL:

*******************

mac access-list extended mac-acl
 permit host 0014.22f8.20c9 any
 deny   any any
 
 
interface GigabitEthernet0/1
 mac access-group mac-acl in

*******************

Result was:

Nothing at all, everyone can access the server

Ganesh Hariharan Sun, 03/07/2010 - 23:58

Thank you for your replays

What I did is the fallowing

I connected a server (Blue Coat) to port g0/1 and did the fallowing

Port Security:

*******************

interface GigabitEthernet0/1

switchport mode access

switchport port-security maximum 5

switchport port-security

switchport port-security violation restrict

switchport port-security mac-address sticky

switchport port-security mac-address sticky 0014.22f8.20c9 vlan access

*******************

Result was:

The mac addresses I enter were blocked and all others can pass throw

Which is the opposite what I want

ACL:

*******************

mac access-list extended mac-acl
 permit host 0014.22f8.20c9 any
 deny   any any
 
 
interface GigabitEthernet0/1
 mac access-group mac-acl in

*******************

Result was:

Nothing at all, everyone can access the server

As per your requirement you want only one mac to be configured in interface manually then do the following configuration at interface level of switch:-

Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.

Sticky secure MAC addresses—These are dynamically configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.

Try the following configuration and check that only one mac is allowing or not !

interface FastEthernet0/2

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security mac-address 0000.0000.000b

switchport port-security violation {protect | restrict | shutdown}

Hope to help !!

Ganesh.H

amk316316 Mon, 03/08/2010 - 01:07

I did is the fallowing

*******************

interface GigabitEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0014.22f8.20c9 vlan access

*******************

Result was the same:

The mac  addresses I enter were blocked and all others can pass throw

also the address i enter can't connect to anything in the network i even can't ping the switch

ps:

System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"

Ganesh Hariharan Mon, 03/08/2010 - 02:23

I did is the fallowing

*******************

interface GigabitEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0014.22f8.20c9 vlan access


*******************

Result was the same:

The mac  addresses I enter were blocked and all others can pass throw

also the address i enter can't connect to anything in the network i even can't ping the switch

ps:

System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"

Hi,

Can you brief once again what exactly is your requirement as i read the original post mentioned below from this you mean to say you want to change the ASIC port mac-address of the switch which is connected to server,If yes no can't change the mac of ASIC port of switch.

Hi all

Is there any way to make a static arp table for my c2960g port g0/1 so the computer only learn mac's that I put manually

Thank you in advance

Hope to Help !!

Ganesh.H

amk316316 Mon, 03/08/2010 - 03:27

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0cm 5.4pt 0cm 5.4pt; mso-para-margin-top:0cm; mso-para-margin-right:0cm; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0cm; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:Arial; mso-bidi-theme-font:minor-bidi;}

Thank you

I am looking for a way to restrict access to port g0/1 in my 2960g switch, a white list of mac addresses that can acssess the server; I tried Port Security and ACL but no luck, I looked into VMPS but it's too complicated and need a tftp server and so on.

So I thought if I make a static arp table the server in g0/1 read for it my solve my problem

Any other solution is appreciated

Ganesh Hariharan Tue, 03/09/2010 - 23:38

Thank you

I am looking for a way to restrict access to port g0/1 in my 2960g switch, a white list of mac addresses that can acssess the server; I tried Port Security and ACL but no luck, I looked into VMPS but it's too complicated and need a tftp server and so on.

So I thought if I make a static arp table the server in g0/1 read for it my solve my problem

Any other solution is appreciated

Hi,

Can you try configuring vlan access map with mac address based acl combine and check it is working or not.check out the below link for configuring vlan access map configuration in switches.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Hope to Help !!

Ganesh.H

amk316316 Tue, 03/09/2010 - 23:25

i did

******************

mac access-list extended ARP_Packet
permit host 0014.22f8.20c9 host 0000.81b5.bbac 0x806 0x0
mac access-list extended block_arp
deny   any any 0x806 0x0

interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access

***************

but when i put this command

ICO(config)#vlan access-map block_arp 10
                                           ^
% Invalid input detected at '^' marker.

((((under the b))))

Ganesh Hariharan Wed, 03/10/2010 - 01:04

i did

******************

mac access-list extended ARP_Packet
permit host 0014.22f8.20c9 host 0000.81b5.bbac 0x806 0x0
mac access-list extended block_arp
deny   any any 0x806 0x0


interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access


***************

but when i put this command

ICO(config)#vlan access-map block_arp 10
                                           ^
% Invalid input detected at '^' marker.

((((under the b))))

Hi,

what is the switch model and ios version and when you do vlan access-map ? what command you are able to see

Ganesh.H

amk316316 Wed, 03/10/2010 - 01:08

Its Cisco Catalyst 2960G (WS-C2960G-24TC-L)

ICO#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:49 by sasyamal
Image text-base: 0x00003000, data-base: 0x01500000

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

ICO uptime is 1 hour, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"

*************************************

ICO(config)#vlan access-map ?
 

************************************

ICO(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').

Ganesh Hariharan Wed, 03/10/2010 - 01:21

ICO#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:49 by sasyamal
Image text-base: 0x00003000, data-base: 0x01500000

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

ICO uptime is 1 hour, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"

*************************************

ICO(config)#vlan access-map ?
 

************************************

ICO(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').

Hi,

I think you are switch is not supported for vlan access-map command because if you do vlan ? it should come up with access-map as a command but in your case i hope it will be showing

Switch(config)#vlan ?
  WORD      ISL VLAN IDs 1-4094
  internal  internal VLAN

Hope to help !!

Ganesh.H

Ganesh Hariharan Wed, 03/10/2010 - 01:31

Its Cisco Catalyst 2960G (WS-C2960G-24TC-L)

ICO#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:49 by sasyamal
Image text-base: 0x00003000, data-base: 0x01500000

ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)

ICO uptime is 1 hour, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"

*************************************

ICO(config)#vlan access-map ?
 

************************************

ICO(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').

Hi,

As you have created a mac based acl just apply this acl in in direction where the mac can initiate a traffic towards the destionation end server mac,followin are the guidelines to use mac based acl in l2 switches.

1) You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets.

2) A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.

and check out the link for mac based acl in l2 switches it should work.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_37_se/configuration/guide/swacl.html#wp1629114

Direction of acl is critical just apply in the port as suggested in the begning where traffic is initiated.

Hope to help !!

Actions

This Discussion