Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Westi on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Port Security - allow 4 computers on 6 ports

Status
Not open for further replies.
stubnski

stubnski

MIS
Nov 17, 2005
403
US
Hi,

I have four computers that move between six different offices. Is there a way to allow only the same four mac addresses on six ports to provide some sort of port security? Something like the below config. The public has unsupervised access to these rooms so I want to secure it as much as possible.

int gig0/1
switchport port-security mac-address 1111.1111.1111
switchport port-security mac-address 2222.2222.2222
switchport port-security mac-address 3333.3333.3333
switchport port-security mac-address 4444.4444.4444

int gig0/2
switchport port-security mac-address 1111.1111.1111
switchport port-security mac-address 2222.2222.2222
switchport port-security mac-address 3333.3333.3333
switchport port-security mac-address 4444.4444.4444


Thanks for any help!


Stubnski
 
Sort by date Sort by votes
use a mac address ACL ... and apply port security that way ..
let me see if i can write an example :

mac access-list extended SOMENAME
permit host xxxx.xxxx.xxxx any

int fa0/1
mac access-group SOMENAME in
int fa0/2
mac access-group SOMENAME in

that should do kinda do it..
this works on a 2950 and a 3550 switch.
with the routers, i believe you'll have to an acl

access-list 700 ?


 
Upvote 0 Downvote
Hi imbadatthis,

Thank you for your response.

I have tried that and while it does work on a 3560 I have, it does not work on the switch I need it on (cisco 4500). Maybe there is an added step to make it work on a Cisco 4500?


Stubnski
 
Upvote 0 Downvote
Your first post is exactly how it is done. You may want to add

switch(config-if)#switchport port-sec viol shut

And you can do

switch(config)#int g0/1 - 0/6

or

switch(config)#int range g0/1 - 6

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Have you thought about running 802.1x on these switches??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Hi Burt and Unclerico,

Thank you for your responses.

Burt, I get the following message when I enter the same MAC's on different ports - "Found Duplicate MAC Address". So basically it will only work on one port. Is there something I need to enable or disable to get the same MAC on multiple ports?

Unclerico, I've been doing some research on that but I always see Radius as the authentication server. Is it possible to use Tacacs+? What would you suggest for a authentication server based on real world experiences; Radius or Tacacs+ (98% cisco infrastructure, 100% M$ workstations).


Thanks again for your suggestions


Stubnski
 
Upvote 0 Downvote
802.1x = RADIUS

The setup that is recommended:
Network authentication = RADIUS
Cisco Device authentication (i.e. Priv15 access) = TACACS+

although I use RADIUS to provide access to my Cisco devices also.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
*another idea:

its about unicast mac address filter.
if you change the Drop to Allow, it will probably do what you want and on all interfaces (? -)
:
Configuring Unicast MAC Address Filtering

To block all unicast traffic to or from a MAC address in a specified VLAN, perform this task:

Command

Purpose

Switch(config)# mac-address-table static mac_address
vlan vlan_ID drop

[cut..]
To clear MAC address-based blocking, use the no form of this command without the drop keyword.

This example shows how to block all unicast traffic to or from MAC address 0050.3e8d.6400 in VLAN 12:

Router# configure terminal

Router(config)# mac-address-table static 0050.3e8d.6400 vlan 12 drop
 
Upvote 0 Downvote
So this will block unicast from that MAC TO VLAN 12, where that MAC does NOT reside?

/

tim@tim-laptop ~ $ sudo apt-get install windows
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Couldn't find package windows...Thank Goodness!
 
Upvote 0 Downvote
Thank you everyone for your suggestions.

I will start to implement 802.1x, anyone have a recommendations on a radius server they prefer or will a Windows radius server do?


Stubnski
 
Upvote 0 Downvote
Because my environment is 99% Windows I just use IAS, but you're free to use pretty much any vendor out there.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Zero6
  • Locked
  • Question
question about cisco cbs 350-12xs 12 port 10g sfp+
Replies
0
Views
234
Zero6
Zero6
testman1
  • Locked
  • Question
SIP telephone ring on second call
Replies
0
Views
217
testman1
testman1
BleuBell
  • Locked
  • Question
Command Rejected : Exceeded NNI ports Allowed
Replies
0
Views
166
BleuBell
BleuBell
PThomp3344
  • Locked
  • Question
Trying to connect to Cisco Unified Controller web interface: UC520W-16U-4FXO-K9
Replies
1
Views
337
nt8d09
nt8d09
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
304
iggsterman
iggsterman

Part and Inventory Search

Sponsor

Back
Top