Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

mac security question

Status
Not open for further replies.

wowhead

IS-IT--Management
Feb 27, 2007
73
US
After reading about MAC security, it looks like I cannot accomplish what I want due to the desired ports being trunks. Anyone had this issue before and what was the work around? Thanks.

Come visit on Stonemaul!!!!!!! (Henda/Sttaph) ;)
 
i dont understand, what else do you need to know?

i want to control what traffic on a couple switch ports. yet cisco says i cannot use mac security on ports that are trunked. the ports i want to control are in fact trunked due to our IP phone system.

i'm then wondering what the alternative is, if any, so that i can still control what is going on. these are ports in a public room so we'd much prefer the security to be less than wide open for everyone to grab a DHCP address.
 
Can you not put them in a vlan and then just use an ACL on the router to allow/block what you want?
 
Hell I don't know, that is why I am asking the question: "What is the alternative?"
 
what if the traffic isn't leaving the local subnet, how would an acl on a router help that? i want to prevent people from getting a DHCP lease. anyone with more depth on this subject care to chime in?
 
Dare I chime in again, heaven forbid I try to help you with your work around, Why not add them to a new unused vlan with nothing else on it? No DHCP no nothing. Then you could prune it from the allowed vlan list on the desired trunk. I'm only trying to help you.
 
post the config of one of these ports.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
This thing runs CatOS so it took me a while to figure something out:

4506-Upstairs (enable) show port 2/1
* = Configured MAC Address

Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
2/1 notconnect 1 normal auto auto 10/100/1000

Port AuxiliaryVlan AuxVlan-Status
----- ------------- --------------
2/1 100 inactive


Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
2/1 disabled shutdown 0 0 1 disabled 11

Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left
----- -------- ----------------- -------- ----------------- ------------------
2/1 0 - - - - -

Port Flooding on Address Limit
----- -------------------------
2/1 Enabled

Port Send FlowControl Receive FlowControl RxPause TxPause Unsupported
admin oper admin oper opcodes
----- -------- -------- --------- --------- ---------- ---------- -----------
2/1 on off desired off 0 0 0

Port Status Channel Admin Ch
Mode Group Id
----- ---------- -------------------- ----- -----
2/1 notconnect auto silent 2 0

Port Status ErrDisable Reason Port ErrDisableTimeout Action on Timeout
---- ---------- ------------------- ---------------------- -----------------
2/1 notconnect - Enable No Change

Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
----- ---------- ---------- ---------- ---------- ---------
2/1 - 0 0 0 0

Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
----- ---------- ---------- ---------- ---------- --------- --------- ---------
2/1 0 0 0 0 0 0 0

Last-Time-Cleared
--------------------------
Mon Oct 6 2008, 20:54:16

Idle Detection
--------------
--
4506-Upstairs (enable)

sh int doesn't give the same output...is this what you were looking for?
 
wowhead, you need to post the configuration commands that you have on the interface from the running-config.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
>> Windows server for DHCP

You could exclude the range and use reservations. That would prevent DHCP from being handed out but a person could still access the network from that port if they new the ip range and subnet.


Stubnski
 
FYI. Win server 2003 and 2008 does have DHCP blocking by mac . Google for DLL filter
 
# ***** NON-DEFAULT CONFIGURATION *****
!
!
#time: Mon Oct 27 2008, 09:05:24
!
#version 8.4(11)GLX
!
!
#system web interface version(s)
set password
set enablepass
set prompt 4506-Upstairs
set config mode text nvram
set banner motd ^C Welcome to the Catalyst 4506, DON'T SCREW ANYTHING UP!!!
Your's truly, Big-Brother. >:D ^C
!
#dot1x
set feature dot1x-radius-keepalive disable
!
#system
set system name 4506-Upstairs
set system location Upstairs Data Room
set system contact
!
#frame distribution method
set port channel all distribution mac both
!
#snmp
set snmp rmon enable
set snmp chassis-alias Catalyst4506
!
#Local User
set localuser user
privilege 15
!
#vtp
set vtp domain
set vtp mode transparent vlan
set vlan 5 rspan name VLAN0005 state active
set vlan 10 name VoIP type ethernet mtu 1500 said 100010 state active
set vlan 100 name Voice-VLAN type ethernet mtu 1500 said 100100 state active

set vlan 172 name DHCP-VLAN type ethernet mtu 1500 said 100172 state active
set vlan 500 rspan name VLAN0500 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state activ
e stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active st
p ibm
set vlan 1
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve mode srb aremaxhop 7 stemaxhop 7 backupcrf off
!
#ip
set interface sc0 1

set interface sl0 down
255.255.255.0 0.0.0.255

set interface me1 down
set ip route 0.0.0.0/0.0.0.0
set ip route 10.2.0.0/255.255.255.0
set ip alias default 0.0.0.0
!
#syslog
set logging console disable
!
#http configuration
set ip http server enable
!
#multicast filter
set igmp filter disable
!
#module 1 : 2-port 1000BaseX Supervisor
set module name 1 Catalyst4506
!
#module 2 : 48-port 10/100/1000 Ethernet
set module name 2 48-port Gig
set vlan 100 2/9,2/35
set port auxiliaryvlan 2/1 100
set port auxiliaryvlan 2/2 100
set port auxiliaryvlan 2/4 100
set port auxiliaryvlan 2/6 100
set port auxiliaryvlan 2/7 100
set port auxiliaryvlan 2/8 100
set port auxiliaryvlan 2/9 100
set port auxiliaryvlan 2/10 100
set port auxiliaryvlan 2/12 100
set port auxiliaryvlan 2/16 100
set port auxiliaryvlan 2/17 100
set port auxiliaryvlan 2/18 100
set port auxiliaryvlan 2/19 100
set port auxiliaryvlan 2/20 100
set port auxiliaryvlan 2/21 100
set port auxiliaryvlan 2/22 100
set port auxiliaryvlan 2/23 100
set port auxiliaryvlan 2/25 100
set port auxiliaryvlan 2/27 100
set port auxiliaryvlan 2/31 100
set port auxiliaryvlan 2/35 100
set port auxiliaryvlan 2/36 100
set port auxiliaryvlan 2/37 100
set port auxiliaryvlan 2/46 100
set trunk 2/2 auto dot1q 1-1005,1025-4094
set trunk 2/3 on dot1q 1-1005,1025-4094
set trunk 2/4 auto dot1q 1-1005,1025-4094
set trunk 2/6 auto dot1q 1-1005,1025-4094
set trunk 2/7 auto dot1q 1-1005,1025-4094
set trunk 2/8 auto dot1q 1-1005,1025-4094
set trunk 2/9 auto dot1q 1-1005,1025-4094
set trunk 2/10 auto dot1q 1-1005,1025-4094
set trunk 2/12 auto dot1q 1-1005,1025-4094
set trunk 2/16 auto dot1q 1-1005,1025-4094
set trunk 2/17 auto dot1q 1-1005,1025-4094
set trunk 2/18 auto dot1q 1-1005,1025-4094
set trunk 2/19 auto dot1q 1-1005,1025-4094
set trunk 2/20 auto dot1q 1-1005,1025-4094
set trunk 2/21 auto dot1q 1-1005,1025-4094
set trunk 2/22 auto dot1q 1-1005,1025-4094
set trunk 2/23 auto dot1q 1-1005,1025-4094
set trunk 2/25 auto dot1q 1-1005,1025-4094
set trunk 2/27 auto dot1q 1-1005,1025-4094
set trunk 2/35 auto dot1q 1-1005,1025-4094
set trunk 2/37 auto dot1q 1-1005,1025-4094
set trunk 2/46 auto dot1q 1-1005,1025-4094
!
#module 3 empty
!
#module 4 empty
!
#module 5 empty
!
#module 6 empty
!
#switch port analyzer
set rspan destination 2/1 5 inpkts disable learning enable create
end
 
as long as you have
Code:
set port auxiliaryvlan mod/num <voice_vlan_id>
there is no reason that you can't enable port-security. just do not configure the switchport as an actual trunk because then you can't run port-security (as you know). if all you want is to have the phone hanging off of this interface then leave the maximum set to 1. i don't know what voice solution you are running, but perhaps you could also disable the pc switchport on the phone.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top