topic Re: Cisco ISR 1100 MAC Address Filtering in Network Access Control

Cisco ISR 1100 MAC Address Filtering

whughes123 — Thu, 25 Jan 2024 22:10:43 GMT

I'm trying to enable MAC Address Filtering on my Cisco ISR 1111x-8p and I can't seem to get it working correctly. I tried adding my PC to the port-security list and removing it, but my PC is still connected to the internet. Is this the best way to manage access to the network, and if so, can I manage access through the Cisco ISR 1111x-8p when another router (Home router) is connected to the port that provides wifi access?

MAC of my eth0 is: D8-BB-C1-01-E8-8B

I tried removing the MAC from my port-security but I can't seem to get it removed, or I don't know how.

I have attached a network diagram of how my network will be setup as well as my Cisco config file, and port-security settings....

Re: Cisco ISR 1100 MAC Address Filtering

MHM Cisco World — Thu, 25 Jan 2024 22:22:36 GMT

Remove sticky

1- shut port that learn sticky mac

2- add NO to command line

switchport port-security mac-address sticky 0800.270f.b6e6
 switchport port-security mac-address sticky 0800.2772.bdec
 switchport port-security mac-address d8bb.c101.e888
 switchport port-security mac-address sticky d8bb.c101.e88b

3- Then clear port-secuirty mac

Above is manaul you can make sticky mac auto clean by config port-secuirty aging static

MHM

Re: Cisco ISR 1100 MAC Address Filtering

whughes123 — Thu, 25 Jan 2024 23:36:11 GMT

I was able to remove the MAC addresses from the interface, but can you tell me why my PC is still connected to the internet when I have MAC Filtering enabled but there are no MAC addresses being allowed? It should only connect to the internet if I add the MAC for the device I want to connect, right?

Re: Cisco ISR 1100 MAC Address Filtering

balaji.bandi — Fri, 26 Jan 2024 00:08:50 GMT

EDIT :

After looking your Attached Drawing your PC MAC not directly connected to that port right ?

you have NAT in place on the Device ? where is this PC connected ? (in WIFI ?)

Physically connected to port Gig0/1/0 refer below :

When you remove the MAC address from the sticky and the port shutdown and no shutdown - the device still connected to same port and able to access internet ?

after removed the stick MAC from the port - can you post mac address table and configuration again ?

check on the port - show port-security interface gig0/1/0 (post output here)

Re: Cisco ISR 1100 MAC Address Filtering

MHM Cisco World — Fri, 26 Jan 2024 00:08:20 GMT

What you meaning mac filtering? Do you mean port secuirty?

If you can access with old mac

Can i see

Show interface port-secuirty

MHM

Re: Cisco ISR 1100 MAC Address Filtering

whughes123 — Mon, 29 Jan 2024 18:47:25 GMT

@MHM Cisco World Here is my port-security show command output:

cisco#show port-security interface gig 0/1/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 1 mins
Maximum MAC Addresses : 50
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : d8bb.c101.e88b:1
Security Violation Count : 0

Re: Cisco ISR 1100 MAC Address Filtering

MHM Cisco World — Mon, 29 Jan 2024 18:54:03 GMT

Port secuirty is enable

d8bb.c101.e88b:1

This mac was sticky learn before now I think it dynamic learn and allow to access SW.

And for mac filtering' sorry but as I know it only for wireless client not for wire client' or am I wrong?

MHM

Re: Cisco ISR 1100 MAC Address Filtering

whughes123 — Mon, 29 Jan 2024 18:57:58 GMT

@balaji.bandi I have updated my network diagram to show my Windows 10 PC, it's connected to the Cisco router via ethernet on GigabitEthernet 0/1/0. Here is the output to my mac address-table show command:

Mac Address Table

cisco#show port-security interface gig 0/1/0 address
Secure Mac Address Table
-------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 d8bb.c101.e88b SecureDynamic Gi0/1/0 < 1
-------------------------------------------------------------------------------
Total Addresses: 1

cisco#show port-security interface gig 0/1/0 vlan
Default maximum: not set, using 2048
VLAN Maximum Current
1 default 1

-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0ccc.ccce STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
1 60b9.c0a5.7ef4 STATIC CPU
1 d8bb.c101.e88b STATIC Gi0/1/0
Total Mac Addresses for this criterion: 22

Here is the output for showing all port-security commands:

Re: Cisco ISR 1100 MAC Address Filtering

whughes123 — Mon, 29 Jan 2024 19:15:41 GMT

If MAC filtering only works on WIFI then I will have to find another way to whitelist access to the router. I guess I could assign static IP's to the devices I need to connect to the router, then setup an ACL to only allow those static IP's.

Re: Cisco ISR 1100 MAC Address Filtering

MHM Cisco World — Mon, 29 Jan 2024 20:21:12 GMT

Yes I think this solution will work.

MHM