Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

DHCP and Port Security

Hello everybody,

i've configured port security on a Catalyst 3750 inluding 12.2(40)SE as followed:

mac access-list extended PermitMAC

permit host xxxx.xxxx.xxxx any

!

interface GigabitEthernet1/0/1

switchport access vlan 11

switchport mode access

mac access-group PermitMAC in

spanning-tree portfast

Current situation:

If i connect a notebook with the MAC-address yyyy.yyyy.yyyy to the interface Gi1/0/1, the notebook

gets a IP-address from the DHCP-Server which is located in the same segment as interface Gi1/0/1.

My expectation was:

The client shouldn't get any IP-Adress because the DHCP request from the client contains the MAC source

address which doesn't match the allowed list "PermitMAC".

Request:

Does anyone knows why the client even gets a IP-Address from the DHCP Server ?

Thank you very much in advance and

kind regards

Stephan

9 REPLIES

Re: DHCP and Port Security

Same segment as the Gi1/0/1 interface? I think you just answered the question...(or at least it looks like you did). If it's on the same segment, it's not "going through" the Gi1/0/1 interface. Maybe I'm missing something here?

What are the device(s) between the notebook and the DHCP server?

-brad

www.ccbootcamp.com

New Member

Re: DHCP and Port Security

Hi Brad,

attached you find the setup. I double checked the situation with the customer. The DHCP-Server is NOT in the same VLAN as the notebook. On VLAN 11 interfaces within Switch 1 & Switch 2 the ip-helper address of the DHCP-Server is configured.

As i would expect Switch 2 shouldn't get access to the notebook because the MAC Address of the notebook isn't configured as a preferred device within the extended access-list "PermitMAC".

But the Notebook gets a IP-Adress from the DHCP Server.

Do you have any idea why ?

kind regards

stephan

New Member

Re: DHCP and Port Security

Hello everybody,

does nobody have any idea about that issue ?

Kindly

Stephan

Re: DHCP and Port Security

As far as I am aware, the MAC access-list applies only to non-IP traffic. (IPX, Apple, etc.) DHCP is effectively IP traffic, so is not filtered by the access list.

If you really want to restrict the MAC address, do so using the normal port-security system, with a static mapping and one MAC only allowed.

Kevin Dorrell

Luxembourg

New Member

Re: DHCP and Port Security

Hi Kevin,

thanks a lot for your feedback. Situation is all other IP-Traffic is blocked by this MAC access-List. In fact the default-gateway for that client is not reachable via ICMP.

Nevertheless I will try it with the normal port-security system.

Kind Regards

Stephan

Re: DHCP and Port Security

Stephan,

In that case I am very puzzled because the documentation is quite clear that "You can filter non-IPv4 traffic on a VLAN or on a Layer 2 interface by using MAC addresses and named MAC extended ACLs."

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12240se/scg1/swacl.htm#wp1289037

Are you sure it is not something else that is filtering your traffic, indicating some other problem?

Kevin Dorrell

Luxembourg

New Member

Re: DHCP and Port Security

Hi Kevin,

yes I'm pretty sure that no other device is blocking that traffic. As you can see in the attachement in the 2nd reply to this conversation there is no device in between.

Maybe it's a question of interpretation; you can filter non-IPv4 traffic doesn't mean you can not filter IPv4 traffic does it ?

Kind regards and have a nice weekend

Stephan

Bronze

Re: DHCP and Port Security

I'm just curious why you're doing it this way as opposed to just setting up the interface with port security max-addresses and shutting down the interface if a non-allowed MAC is detected?

New Member

Re: DHCP and Port Security

Hi Adam,

i tried to setting up the interface with port security. The problem i have is to setting up more than one port with the same secrue MAC-addresses.

Background:

Several Ports are assigned to some meeting rooms where just dedicated notebooks should get access.

If i try to setup the same secure MAC-address to a interface i get following message;

Cat3750G(config-if)# switchport port-security mac-address 000b.xxxx.xxxx

Found duplicate mac-address 000b.xxxx.xxxx.

Does anybody have any idea how i can solve that issue ?

Kind Regards

Stephan

443
Views
0
Helpful
9
Replies