Mac-address security

Answered Question
May 28th, 2010
User Badges:

Greetings!


I have a Catalyst 2950 switch in my network, and i need to prevent unknown hosts from network access. There are 10 computers connected to this switch. And i want any of this computers can be connected to any port of switch. How can i make it? If i try to do it by using port-security and declare all mac-addresses of computers on all ports of switch, is says "Found duplicate mac-address xxxx.xxxx.xxxx".


Thanks for help.


Best Regards,

Takush Roman.

Correct Answer by podhillo about 7 years 1 day ago

This can be achieved by these methods:


1] Mac-Access List - recommended.
2] VCAL
3] Port security - recommended.
4] 802.1X Authentication


You can create a mac access list LOCALMACHINES with about 10 mac addresses
like this :
mac access-list extended LOCALMACHINES
permit host xxxx.xxxx.xxxx any

**Please check if this supported in 2950


Please let me know if this was helpful.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.2 (4 ratings)
Loading.

I am not sure whether you are using these computers in a domain, you may make use of 802.1x which grants access to the connected user only when the user-id/password supplied by the user to login the computers are verified by AAA system. Only after that is verified the users could get the IP address from DHCP and do something on the network.


Thanks,

Gaurav

Correct Answer
podhillo Fri, 05/28/2010 - 12:32
User Badges:
  • Bronze, 100 points or more

This can be achieved by these methods:


1] Mac-Access List - recommended.
2] VCAL
3] Port security - recommended.
4] 802.1X Authentication


You can create a mac access list LOCALMACHINES with about 10 mac addresses
like this :
mac access-list extended LOCALMACHINES
permit host xxxx.xxxx.xxxx any

**Please check if this supported in 2950


Please let me know if this was helpful.

Ganesh Hariharan Sat, 05/29/2010 - 21:40
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Greetings!


I have a Catalyst 2950 switch in my network, and i need to prevent unknown hosts from network access. There are 10 computers connected to this switch. And i want any of this computers can be connected to any port of switch. How can i make it? If i try to do it by using port-security and declare all mac-addresses of computers on all ports of switch, is says "Found duplicate mac-address xxxx.xxxx.xxxx".


Thanks for help.


Best Regards,

Takush Roman.


Hi Takush Roman,


Configure the following command on interfaces to allow 10 mac, in the below i have shown with two mac-address with voilation as shutdonw



interface fastethernet 0/6

switchport mode access

switchport port-security violation shutdown

switchport port-security maximum 2

switchport port-security mac-address sticky 1111.1111.1111

switchport port-security mac-address sticky 2222.2222.2222


Hope to Help !!


Ganesh.H


Remember to rate the helpful post

Roman Takush Tue, 06/01/2010 - 07:05
User Badges:

Thanks everyone, your answers were very helpful. I decided to use mac-address access lists, this is the best solution for me. Thanks for help once again.


Best Regards,

Takush Roman.

podhillo Tue, 06/01/2010 - 07:15
User Badges:
  • Bronze, 100 points or more

Thanks Takush Roman for updating us,


***I guess stiky command is not supported on 2950 switches***


Regards,

podhillo

Actions

This Discussion