Cisco Support
English
Feedback Help
Cisco Support Community
Register
cancel
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
sdavids5670
sdavids5670
Community Member
‎12-12-2008 10:31 AM
‎12-12-2008 10:31 AM

Port-security question

I'd like to know if it is possible, via port-security, to block access to a system based on a MAC address range. In this particular instance, a client of mine wants to prevent patients from bring in gaming consoles (such as PS3 or XBox). However, these patients are allowed to bring in laptops. The prefix for Sony Computer Entertainment is 00041F and Microsoft uses 0050F2 for the XBox so is there a way to say, with port-security, do not allow any MAC beginning with 00:04:1F or 00:50:F2?

0 Helpful
Reply
2 REPLIES
Collin Clark
Collin Clark Purple
Purple
‎12-12-2008 11:52 AM
‎12-12-2008 11:52 AM

Re: Port-security question

AFAIK I don't think you can do that, but you could use a MAC based ACL. They would be able to connect, but wouldn't get anywhere.

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

Hope that helps.

0 Helpful
Reply
cedar_lee
cedar_lee
Community Member
‎12-12-2008 01:45 PM
‎12-12-2008 01:45 PM

Re: Port-security question

I think MAC ACL applied to Vlan interface will work as long as the network admin gets all the patients laptops MAC registered.

And under the same presumtion, you could use port-security feature as well. That means you have to register the laptops MAC and permit them on each switch port.

If the number of the switch ports for the patients is very small, I would try to use port-security feature as the following:

1. Enable errdisable recovery cause psecure-violation

2. Enable the port-security feature on an interface:

switch(config-if)#switchport port-security

switch(config-if)#switchport port-security maximum 1

switch(config-if)#switchport port-security mac-address sticky

3. Plug your laptop to an interface and let the switch learns your laptop MAC

4. Copy and paste the config of this switch port to other switch ports

5. when a new patient need access, increase the maximum number by 1 each time, such as for the first patient

switch(config-if)#switchport port-security maximum 2

6. plug the patient's laptop to the switch port

7. copy and paste the config of this switch port to other ports if needed

8. repeat 5 to 8

It sounds not convinient because you need to spend the time to build the MAC list even the switch learn it automatically.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_see/configuration/guide/swtrafc.html#wp1038501

I am looking forward to hearing if any one knows a better solution. For example, can the switch auto matically learn the MAC and save them to the MAC table. A ACL applies to a Vlan interface or each switch port to only allow the laptops with the MAC listed on the switch MAC table.

0 Helpful
Reply
Latest Documents
PFRv3 channel state questions
Created by Vasilii Mikhailovskii on 04-23-2018 05:06 AM
0
0
0
0
This document gives several answers on frequently asked questions for PFRv3 channel state behavior. Q1: What are all the channel operational states from a BR (border role) perspective and what are the rules/conditions to be in each st... view more
VPN and static NAT problem
Created by Jacopo Belcredi on 04-23-2018 04:07 AM
0
0
0
0
Symptoms The need was to reach an host inside a LAN through a VPN connection managed by the LAN gateway (Cisco 1921). The LAN gateway performs NAT and there was a dedicate nat rule for the host i wanted to reach through VPN. I couldn't connect to the hos... view more
Cisco ESW-520-24P Switch Configuration
Created by Kevin DeMott on 04-19-2018 01:49 PM
0
0
0
0
We have 3 identical switches configured by someone else and would like to claim some of the Gigabit ports(G1/G2/G3/G4) for use on servers.  When we try to change the wiring and configuration, we run in to connectivity issues.  Attached is a des... view more
All Documents
165
Views
0
Helpful
2
Replies
CreatePlease to create content
Discussion
Blog
Document
Video
Popular Blogs
Glimpse of "EIGRP name mode configuration"
Created by ashirkar on 10-01-2013 02:06 AM
7
74
7
74
What happens, when router receives packet?
Created by ashirkar on 10-18-2012 03:19 AM
31
49
31
49
BLOG (No Title)
Created by Akula Jyoti Lakshmi on 08-09-2011 09:13 PM
15
43
15
43
All Blogs