cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3078
Views
15
Helpful
15
Replies

Help with Port Security and MAC addresses

burleyman
Level 8
Level 8

We are looking at implementing port security and I am looking for a way to accomplish the following.

What we would like to do is prevent someone attaching to a switch that does not have a MAC Address that matches our list of MAC Addresses.

I need the users to be able to move around the office and gain access so the MAC address should not be locked down to a specific port.

The port should be shutdown if there is a violation.

How can I accomplish this.

I thought of Port security Dynamic learning and max amount of MAC addresses but it would allow someone to just attach and go because there is no restriction on the MAC address, and sticky would not work because we need the users to be able to move around the office.

Also, 802.1x port authentication would be OK but it would have to be reconfigured if a device is moved.

Can I use a ACL globally and restrict based on a list of MAC Addresses?

Any direction and help would be greatly appreciated.

Mike

2 Accepted Solutions

Accepted Solutions

Yudong Wu
Level 7
Level 7

Well, I don't think locking down network access by using MAC address is a good idea.

But if you would like to do it this way, you can use MAC ACL to realize it.

Here is just a example.

http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

View solution in original post

you just need one vlan filter command:

vlan filter ALLOWED_MACs vlan-list 1 , 3 , 5 , 101 , 201

View solution in original post

15 Replies 15

Yudong Wu
Level 7
Level 7

Well, I don't think locking down network access by using MAC address is a good idea.

But if you would like to do it this way, you can use MAC ACL to realize it.

Here is just a example.

http://www.cisco.com/en/US/partner/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Thanks I was looking into a MAC ACL type thing.

What would you recommend to lock down access to the switch?

Mike

I get a forbidden file when I try that link. Can you post the document?

Mike

It is just an example. You can find more info in configuration guide of related switch.

You can implement NAC to control your network access.

http://www.cisco.com/en/US/products/ps6128/index.html.

It would be nice to get a NAC but I know it is not in the budget for this year.

Lets see if I got this right. What I have is a list of MAC addresses that I want to "Allow" to connect to our switchports and anything other than the listed MAC addresses should be dropped and/or have the port disable. The switch is a Catalyst 3560 and I do have the following VLANs defined. VLAN1 is the VLAN for all network gear, VLAN3 is for Servers, VLAN5 is for Printers, VLAN101 is for Data (PC's), and VLAN201 is for VoIP. Would the following config work for what I would like to acomplish.

mac access-list extended ALLOWED_MACs_VL3

permit host 0000.861f.3a45

permit host 0000.861f.3745

permit host 0000.861f.3641

permit host 0000.861f.2134

-Keep going with the MAC addresses I want to allow---

vlan access-map ALLOWED_MACs 10

action allow

match mac address ALLOWED_MACs_VL3

vlan access-map ALLOWED_MACs 20

action drop

vlan filter ALLOWED_MACs vlan-list 3

and do this for each VLAN....

Thanks for your help.

Mike

Config looks good.

You'd better to test it before implementing it to the production switch.

Don't forget to include MAC of default gateway in each vlan.

Thank.

Now could I just do this instead?

mac access-list extended ALLOWED_MACs_VL3

permit host 0000.861f.3a45

permit host 0000.861f.3745

permit host 0000.861f.3641

permit host 0000.861f.2134

-Keep going with the MAC addresses I want to allow---

access-map ALLOWED_MACs 10

action allow

match mac address ALLOWED_MACs_VL3

access-map ALLOWED_MACs 20

action drop

and not have them seperate for each VLAN?

Mike

You can have a MAC ACL which include permitted mac address in all vlans and then use it in vlan-map. You can then apply this vlan-map to multiple vlans.

Oh...so it would be like this.....

mac access-list extended ALLOWED_MACs_VL3

permit host 0000.861f.3a45

permit host 0000.861f.3745

permit host 0000.861f.3641

permit host 0000.861f.2134

-Keep going with the MAC addresses I want to allow---

vlan access-map ALLOWED_MACs 10

action allow

match mac address ALLOWED_MACs_VL3

vlan access-map ALLOWED_MACs 20

action drop

vlan filter ALLOWED_MACs vlan-list 1

vlan filter ALLOWED_MACs vlan-list 3

vlan filter ALLOWED_MACs vlan-list 5

vlan filter ALLOWED_MACs vlan-list 101

vlan filter ALLOWED_MACs vlan-list 201

Mike

you just need one vlan filter command:

vlan filter ALLOWED_MACs vlan-list 1 , 3 , 5 , 101 , 201

Thanks for all your help.

Mike

Kevin,

My boss wanted me to open a TAC case on this to have Cisco double check the config. The Tech said this would not work and I should use dot1q instead. Now I read the documant you sent and it all looks like it should work. Am I missing something? Here is what the tech said....

If you are wanting to deny any traffic at all from these rogue users,

VACLs will not do that. DHCP, ARP, etc will not be looked at my VACLs.

What you really need here for this type of security is dot1x. VACLs only

work on intervlan L2 traffic and not on L3 traffic so it will not

totally block all access. You could statically assign mac-addresses to

the ports but this will be very time consuming and manual.

Can you confirm?

Mike

As what I mentioned before, controlling access by using MAC can only provide limited security.

If you implements VLAN map as what we discussed, ARP request from rogue user's PC will be blocked. As a result, it could not communicate to another PC since it could not resolve their mac address by IP. But, if rogue users know the MAC of destination IP, he can configure an arp entry manually and then can communicate with that IP. VLAN MAP w/MAC ACL could not block it.

The best way to understand this is to try it in the lab.

HTH

Thank you for responding. Just so you know I think what you suggested would work but when I opened a TAC case...which they have yet answer my questions since Friday!...they said it would not work but did not explain why. They wanted to do dot1x. Here is what they said....

If you are wanting to deny any traffic at all from these rogue users,

VACLs will not do that. DHCP, ARP, etc will not be looked at my VACLs.

What you really need here for this type of security is dot1x. VACLs only

work on intervlan L2 traffic and not on L3 traffic so it will not

totally block all access. You could statically assign mac-addresses to

the ports but this will be very time consuming and manual.

I still have the case open so I am contacting them again to find out why the first solution would not work.

Mike

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: