i've configured port security on a Catalyst 3750 inluding 12.2(40)SE as followed:
mac access-list extended PermitMAC
permit host xxxx.xxxx.xxxx any
switchport access vlan 11
switchport mode access
mac access-group PermitMAC in
If i connect a notebook with the MAC-address yyyy.yyyy.yyyy to the interface Gi1/0/1, the notebook
gets a IP-address from the DHCP-Server which is located in the same segment as interface Gi1/0/1.
My expectation was:
The client shouldn't get any IP-Adress because the DHCP request from the client contains the MAC source
address which doesn't match the allowed list "PermitMAC".
Does anyone knows why the client even gets a IP-Address from the DHCP Server ?
Thank you very much in advance and
Same segment as the Gi1/0/1 interface? I think you just answered the question...(or at least it looks like you did). If it's on the same segment, it's not "going through" the Gi1/0/1 interface. Maybe I'm missing something here?
What are the device(s) between the notebook and the DHCP server?
attached you find the setup. I double checked the situation with the customer. The DHCP-Server is NOT in the same VLAN as the notebook. On VLAN 11 interfaces within Switch 1 & Switch 2 the ip-helper address of the DHCP-Server is configured.
As i would expect Switch 2 shouldn't get access to the notebook because the MAC Address of the notebook isn't configured as a preferred device within the extended access-list "PermitMAC".
But the Notebook gets a IP-Adress from the DHCP Server.
Do you have any idea why ?
As far as I am aware, the MAC access-list applies only to non-IP traffic. (IPX, Apple, etc.) DHCP is effectively IP traffic, so is not filtered by the access list.
If you really want to restrict the MAC address, do so using the normal port-security system, with a static mapping and one MAC only allowed.
thanks a lot for your feedback. Situation is all other IP-Traffic is blocked by this MAC access-List. In fact the default-gateway for that client is not reachable via ICMP.
Nevertheless I will try it with the normal port-security system.
In that case I am very puzzled because the documentation is quite clear that "You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs."
Are you sure it is not something else that is filtering your traffic, indicating some other problem?
yes I'm pretty sure that no other device is blocking that traffic. As you can see in the attachement in the 2nd reply to this conversation there is no device in between.
Maybe it's a question of interpretation; you can filter non-IPv4 traffic doesn't mean you can not filter IPv4 traffic does it ?
Kind regards and have a nice weekend
I'm just curious why you're doing it this way as opposed to just setting up the interface with port security max-addresses and shutting down the interface if a non-allowed MAC is detected?
i tried to setting up the interface with port security. The problem i have is to setting up more than one port with the same secrue MAC-addresses.
Several Ports are assigned to some meeting rooms where just dedicated notebooks should get access.
If i try to setup the same secure MAC-address to a interface i get following message;
Cat3750G(config-if)# switchport port-security mac-address 000b.xxxx.xxxx
Found duplicate mac-address 000b.xxxx.xxxx.
Does anybody have any idea how i can solve that issue ?