01-25-2024 02:10 PM
I'm trying to enable MAC Address Filtering on my Cisco ISR 1111x-8p and I can't seem to get it working correctly. I tried adding my PC to the port-security list and removing it, but my PC is still connected to the internet. Is this the best way to manage access to the network, and if so, can I manage access through the Cisco ISR 1111x-8p when another router (Home router) is connected to the port that provides wifi access?
MAC of my eth0 is: D8-BB-C1-01-E8-8B
I tried removing the MAC from my port-security but I can't seem to get it removed, or I don't know how.
I have attached a network diagram of how my network will be setup as well as my Cisco config file, and port-security settings....
01-25-2024 02:22 PM
Remove sticky
1- shut port that learn sticky mac
2- add NO to command line
switchport port-security mac-address sticky 0800.270f.b6e6 switchport port-security mac-address sticky 0800.2772.bdec switchport port-security mac-address d8bb.c101.e888 switchport port-security mac-address sticky d8bb.c101.e88b
3- Then clear port-secuirty mac
Above is manaul you can make sticky mac auto clean by config port-secuirty aging static
MHM
01-25-2024 03:36 PM
I was able to remove the MAC addresses from the interface, but can you tell me why my PC is still connected to the internet when I have MAC Filtering enabled but there are no MAC addresses being allowed? It should only connect to the internet if I add the MAC for the device I want to connect, right?
01-25-2024 04:08 PM
What you meaning mac filtering? Do you mean port secuirty?
If you can access with old mac
Can i see
Show interface port-secuirty
MHM
01-29-2024 10:47 AM
@MHM Cisco World Here is my port-security show command output:
cisco#show port-security interface gig 0/1/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 1 mins
Maximum MAC Addresses : 50
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : d8bb.c101.e88b:1
Security Violation Count : 0
01-29-2024 10:54 AM
Port secuirty is enable
d8bb.c101.e88b:1
This mac was sticky learn before now I think it dynamic learn and allow to access SW.
And for mac filtering' sorry but as I know it only for wireless client not for wire client' or am I wrong?
MHM
01-29-2024 11:15 AM
If MAC filtering only works on WIFI then I will have to find another way to whitelist access to the router. I guess I could assign static IP's to the devices I need to connect to the router, then setup an ACL to only allow those static IP's.
01-29-2024 12:21 PM
Yes I think this solution will work.
MHM
01-25-2024 04:03 PM - edited 01-25-2024 04:08 PM
EDIT :
After looking your Attached Drawing your PC MAC not directly connected to that port right ?
you have NAT in place on the Device ? where is this PC connected ? (in WIFI ?)
Physically connected to port Gig0/1/0 refer below :
When you remove the MAC address from the sticky and the port shutdown and no shutdown - the device still connected to same port and able to access internet ?
after removed the stick MAC from the port - can you post mac address table and configuration again ?
check on the port - show port-security interface gig0/1/0 (post output here)
01-29-2024 10:56 AM - edited 01-29-2024 10:57 AM
@balaji.bandi I have updated my network diagram to show my Windows 10 PC, it's connected to the Cisco router via ethernet on GigabitEthernet 0/1/0. Here is the output to my mac address-table show command:
Mac Address Table
cisco#show port-security interface gig 0/1/0
Port Security : Enabled
Port Status : Secure-up
Violation Mode : Restrict
Aging Time : 1 mins
Maximum MAC Addresses : 50
Total MAC Addresses : 1
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : d8bb.c101.e88b:1
Security Violation Count : 0
cisco#show port-security interface gig 0/1/0 address
Secure Mac Address Table
-------------------------------------------------------------------------------
Vlan Mac Address Type Ports Remaining Age
(mins)
---- ----------- ---- ----- -------------
1 d8bb.c101.e88b SecureDynamic Gi0/1/0 < 1
-------------------------------------------------------------------------------
Total Addresses: 1
cisco#show port-security interface gig 0/1/0 vlan
Default maximum: not set, using 2048
VLAN Maximum Current
1 default 1
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0ccc.ccce STATIC CPU
All 0180.c200.0000 STATIC CPU
All 0180.c200.0001 STATIC CPU
All 0180.c200.0002 STATIC CPU
All 0180.c200.0003 STATIC CPU
All 0180.c200.0004 STATIC CPU
All 0180.c200.0005 STATIC CPU
All 0180.c200.0006 STATIC CPU
All 0180.c200.0007 STATIC CPU
All 0180.c200.0008 STATIC CPU
All 0180.c200.0009 STATIC CPU
All 0180.c200.000a STATIC CPU
All 0180.c200.000b STATIC CPU
All 0180.c200.000c STATIC CPU
All 0180.c200.000d STATIC CPU
All 0180.c200.000e STATIC CPU
All 0180.c200.000f STATIC CPU
All 0180.c200.0010 STATIC CPU
1 60b9.c0a5.7ef4 STATIC CPU
1 d8bb.c101.e88b STATIC Gi0/1/0
Total Mac Addresses for this criterion: 22
Here is the output for showing all port-security commands:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide