Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1941
Views
0
Helpful
11
Replies

why Mac Access-lists passes DHCP requests ?

rod_zafar
Level 1
Level 1

‎08-23-2004 11:55 PM - edited ‎03-02-2019 05:57 PM

We have configured a 3550 for layer 2 filtering with mac access lists.we apllied this access list to all interfaces.

When we have connected a new PC to switch , it got an IP address From DHCP server ?

Why the Switch didnt block this new PC ?

the interface configuration :

"interface FastEthernet0/42

switchport access vlan 20

no ip address

spanning-tree portfast"

Access-list configuration:

Extended MAC access list port_security

permit host 00c0.b742.7233 any

permit host 0080.7d8c.120c any

permit host 00e0.8602.9c0a any

permit host 0800.3672.b003 any

permit host 00a0.c9d5.ff9f any

Labels:
0 Helpful
11 Replies 11

kulinski
Level 1
Level 1

‎08-24-2004 01:13 AM

hi,

why do whant to make so much work for you ?

all these access lists...

just use the

"switchport port-security mac-address sticky" command on all ports.

the switch will learn the first mac address as the one to permit and all others later will be denied.

in the config, it replaces the sticky by the mac address of the new device

when you replace any old device with a new one latee you just type in the command again and the new device is learned.

kind regards

chris kulinski

0 Helpful

rod_zafar
Level 1
Level 1
In response to kulinski

‎08-24-2004 04:35 AM

Dear Sir

We have done that because of these reasons :

1-If an unauthorized pc has conneceted its pc to the port then the switches blockes that new mac.

2-I dont want to shut all my unused ports.

3-I just want to give access to all authorized mac addresses which i have in my network ,some of them are notebooks which are moving from one room to another .

please help me if you can

0 Helpful

michael.armstrong
Level 1
Level 1
In response to rod_zafar

‎08-29-2004 12:07 PM

Don't you need a "mac access-group port_security in" on the interface(s)?

0 Helpful

hbejinha
Level 1
Level 1
In response to michael.armstrong

‎08-30-2004 03:46 PM

yeah im seeing the same thing he need to associate the acl to the interface right?????

0 Helpful

rod_zafar
Level 1
Level 1
In response to hbejinha

‎08-30-2004 11:58 PM

Actually I applied that to the interfaces but I for got to paste that part for you.

I think you can try it by your self .

the switch passes the DHCP requests !!!!

My switch is 3550.

thanks

0 Helpful

yar9960
Level 1
Level 1

‎08-31-2004 07:10 AM

Intuitively speaking, I would suggesting adding an explicit deny statement to the end of your MAC ACL:

permit host 00a0.c9d5.ff9f any

deny host any any

In case there is not an implicit deny this should block frames from any MAC that you are not explicitly allowing above. Also, if you haven't already make sure you apply the ACL to interface (for inbound, ingress traffic).

Good luck!

Yoni

0 Helpful

hbejinha
Level 1
Level 1
In response to yar9960

‎08-31-2004 09:14 AM

i think that is easier to apply that acl in the vlan 20 and not in the interface.

0 Helpful

michael.armstrong
Level 1
Level 1
In response to hbejinha

‎08-31-2004 01:10 PM

Depends on the intent and design, but that's a good point. I'm going to try this tomorrow morning on a 3550 and will let you know the results.

0 Helpful

rod_zafar
Level 1
Level 1
In response to michael.armstrong

‎08-31-2004 09:06 PM

I have added the Deny any any to the end of the ACL but I got the same result.

How can I apply thhat ACL to VLAN 20 ?whit which command ?

0 Helpful

michael.armstrong
Level 1
Level 1
In response to michael.armstrong

‎09-01-2004 04:10 AM

I ran a short test on a 3550 here and everything worked as expected. This 3550 is doing layer 3 switching among 5 VLANs, HSRP'd with another 3550, but runs no routing protocols.

I configured a mac access-list:

mac access-list extended test

permit host 0008.743b.5ed1 any

Then I applied it to the interface:

interface FastEthernet0/13

switchport access vlan 101

switchport mode access

no ip address

mac access-group test in

I used my laptop, whose MAC address is 0008.743b.5ed0, as a test machine. When I first plugged it in, it failed to get a DHCP-assigned address, and retained the address it had gotten earlier at home. I then did an ipconfig /release, changed the MAC address in the access-list to 0008.743b.5ed0, and did an ipconfig /renew. The DHCP request succeeded, and I was on the air.

0 Helpful

rod_zafar
Level 1
Level 1
In response to michael.armstrong

‎09-01-2004 06:14 AM

Actully I think there is something wrong with DHCP and IP helper address,our DHCP is in Vlan 20 and when the port is in vlan 20 it gets the ip address even if I apply the accesslist but when I remove the switchport access vlan 20 from the interface it cant the ip address?

and I have this problen in all me 3550 switches I have 4 in my network.

I should remind that I have configured clustring between my switches.

I dont know what is the problem.thankf for your cooperation.

0 Helpful
Customers Also Viewed These Support Documents