03-07-2010 12:27 AM - edited 03-06-2019 10:01 AM
Hi all
Is there any way to make a static arp table for my c2960g port g0/1 so the computer only learn mac's that I put manually
Thank you in advance
03-07-2010 03:39 AM
Hello Amk316316,
you are probably meaning that you want only a specific MAC address to be able to use port g0/1.
What you need here is port security
see
int gi0/1
switchport port-security mac-address xxxx.yyyy.zzzz
! following command is needed to enable port security:
switchport port-security
ARP table is the resolution table of IP addresses to MAC addresses
on a L2 port you can only work on the CAM table (table of MAC addresses vlans and ports where they are seen)
Hope to help
Giuseppe
03-07-2010 10:11 PM
Hi all
Is there any way to make a static arp table for my c2960g port g0/1 so the computer only learn mac's that I put manually
Thank you in advance
Hi,
Static mac address configuration on switch can be done by switch port security features in cisco switches,before cofiguring switcport security just consider the following guidelines :-
A secure port cannot be a trunk port.
A secure port cannot be an 802.1X port.
A secure port cannot belong to an EtherChannel port-channel interface.
A secure port and static MAC address configuration are mutually exclusive.
A secure port cannot be a destination port for Switch Port Analyzer (SPAN).
and check out the below link for step by step command to bind a static mac in interface of switch:-
Hope to help !!
Remember to rate the helpful post
Ganesh.H
03-07-2010 11:43 PM
Thank you for your replays
What I did is the fallowing
I connected a server (Blue Coat) to port g0/1 and did the fallowing
Port Security:
*******************
interface GigabitEthernet0/1
switchport mode access
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0014.22f8.20c9 vlan access
*******************
Result was:
The mac addresses I enter were blocked and all others can pass throw
Which is the opposite what I want
ACL:
*******************
mac access-list extended mac-acl
permit host 0014.22f8.20c9 any
deny any any
interface GigabitEthernet0/1
mac access-group mac-acl in
*******************
Result was:
Nothing at all, everyone can access the server
03-07-2010 11:58 PM
Thank you for your replays
What I did is the fallowing
I connected a server (Blue Coat) to port g0/1 and did the fallowing
Port Security:
*******************
interface GigabitEthernet0/1
switchport mode access
switchport port-security maximum 5
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky
switchport port-security mac-address sticky 0014.22f8.20c9 vlan access
*******************
Result was:
The mac addresses I enter were blocked and all others can pass throw
Which is the opposite what I want
ACL:
*******************
mac access-list extended mac-aclpermit host 0014.22f8.20c9 anydeny any any
interface GigabitEthernet0/1mac access-group mac-acl in*******************
Result was:
Nothing at all, everyone can access the server
As per your requirement you want only one mac to be configured in interface manually then do the following configuration at interface level of switch:-
Static secure MAC addresses—These are manually configured by using the switchport port-security mac-address mac-address interface configuration command, stored in the address table, and added to the switch running configuration.
Sticky secure MAC addresses—These are dynamically configured, stored in the address table, and added to the running configuration. If these addresses are saved in the configuration file, when the switch restarts, the interface does not need to dynamically reconfigure them.
Try the following configuration and check that only one mac is allowing or not !
interface FastEthernet0/2
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security mac-address 0000.0000.000b
switchport port-security violation {protect | restrict | shutdown}
Hope to help !!
Ganesh.H
03-08-2010 01:07 AM
I did is the fallowing
*******************
interface GigabitEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0014.22f8.20c9 vlan access
*******************
Result was the same:
The mac addresses I enter were blocked and all others can pass throw
also the address i enter can't connect to anything in the network i even can't ping the switch
ps:
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"
03-08-2010 02:23 AM
I did is the fallowing
*******************
interface GigabitEthernet0/1
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address 0014.22f8.20c9 vlan access*******************
Result was the same:
The mac addresses I enter were blocked and all others can pass throw
also the address i enter can't connect to anything in the network i even can't ping the switch
ps:
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"
Hi,
Can you brief once again what exactly is your requirement as i read the original post mentioned below from this you mean to say you want to change the ASIC port mac-address of the switch which is connected to server,If yes no can't change the mac of ASIC port of switch.
Hi all
Is there any way to make a static arp table for my c2960g port g0/1 so the computer only learn mac's that I put manually
Thank you in advance
Hope to Help !!
Ganesh.H
03-08-2010 03:27 AM
Thank you
I am looking for a way to restrict access to port g0/1 in my 2960g switch, a white list of mac addresses that can acssess the server; I tried Port Security and ACL but no luck, I looked into VMPS but it's too complicated and need a tftp server and so on.
So I thought if I make a static arp table the server in g0/1 read for it my solve my problem
Any other solution is appreciated
03-09-2010 11:38 PM
Thank you
I am looking for a way to restrict access to port g0/1 in my 2960g switch, a white list of mac addresses that can acssess the server; I tried Port Security and ACL but no luck, I looked into VMPS but it's too complicated and need a tftp server and so on.
So I thought if I make a static arp table the server in g0/1 read for it my solve my problem
Any other solution is appreciated
Hi,
Can you try configuring vlan access map with mac address based acl combine and check it is working or not.check out the below link for configuring vlan access map configuration in switches.
Hope to Help !!
Ganesh.H
03-09-2010 11:25 PM
i did
******************
mac access-list extended ARP_Packet
permit host 0014.22f8.20c9 host 0000.81b5.bbac 0x806 0x0
mac access-list extended block_arp
deny any any 0x806 0x0
interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access
***************
but when i put this command
ICO(config)#vlan access-map block_arp 10
^
% Invalid input detected at '^' marker.
((((under the b))))
03-10-2010 01:04 AM
i did
******************
mac access-list extended ARP_Packet
permit host 0014.22f8.20c9 host 0000.81b5.bbac 0x806 0x0
mac access-list extended block_arp
deny any any 0x806 0x0interface GigabitEthernet0/1
switchport access vlan 10
switchport mode access***************
but when i put this command
ICO(config)#vlan access-map block_arp 10
^
% Invalid input detected at '^' marker.((((under the b))))
Hi,
what is the switch model and ios version and when you do vlan access-map ? what command you are able to see
Ganesh.H
03-10-2010 01:08 AM
Its Cisco Catalyst 2960G (WS-C2960G-24TC-L)
ICO#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:49 by sasyamal
Image text-base: 0x00003000, data-base: 0x01500000
ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)
ICO uptime is 1 hour, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"
*************************************
ICO(config)#vlan access-map ?
************************************
ICO(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').
03-10-2010 01:21 AM
ICO#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:49 by sasyamal
Image text-base: 0x00003000, data-base: 0x01500000ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)ICO uptime is 1 hour, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"*************************************
ICO(config)#vlan access-map ?
************************************
ICO(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').
Hi,
I think you are switch is not supported for vlan access-map command because if you do vlan ? it should come up with access-map as a command but in your case i hope it will be showing
Switch(config)#vlan ?
WORD ISL VLAN IDs 1-4094
internal internal VLAN
Hope to help !!
Ganesh.H
03-10-2010 01:31 AM
Its Cisco Catalyst 2960G (WS-C2960G-24TC-L)
ICO#sh ver
Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(52)SE, RELEASE SOFTWARE (fc3)
Copyright (c) 1986-2009 by Cisco Systems, Inc.
Compiled Fri 25-Sep-09 08:49 by sasyamal
Image text-base: 0x00003000, data-base: 0x01500000ROM: Bootstrap program is C2960 boot loader
BOOTLDR: C2960 Boot Loader (C2960-HBOOT-M) Version 12.2(44)SE5, RELEASE SOFTWARE (fc1)ICO uptime is 1 hour, 2 minutes
System returned to ROM by power-on
System image file is "flash:c2960-lanbasek9-mz.122-52.SE/c2960-lanbasek9-mz.122-52.SE.bin"*************************************
ICO(config)#vlan access-map ?
************************************
ICO(config)#vlan access-map
Command rejected: Bad VLAN list - character #1 is a non-numeric
character ('a').
Hi,
As you have created a mac based acl just apply this acl in in direction where the mac can initiate a traffic towards the destionation end server mac,followin are the guidelines to use mac based acl in l2 switches.
1) You can apply no more than one IP access list and one MAC access list to the same Layer 2 interface. The IP access list filters only IP packets, and the MAC access list filters non-IP packets.
2) A Layer 2 interface can have only one MAC access list. If you apply a MAC access list to a Layer 2 interface that has a MAC ACL configured, the new ACL replaces the previously configured one.
and check out the link for mac based acl in l2 switches it should work.
Direction of acl is critical just apply in the port as suggested in the begning where traffic is initiated.
Hope to help !!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide