05-23-2006 10:53 PM - edited 03-09-2019 03:00 PM
I have a 200 node network. Is there any way to get the MAC address of all the end nodes from the switch? How can I provide access to network with know MAC address list? I have to prevent visitors plugging their laptop into our network.
05-23-2006 11:36 PM
Hi avilt:
You can get all the mac address using the show mac-address-table command. It show you all the MAC address learned and the ports the PCs are connected.
To prevent unauthorized access you can use the port security features, but be aware of MAC address spoofing threat. See the following URL
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_4/config/sec_port.htm
Hope this help. Please rate if it does.
Alberto Giorgi from spain.
05-24-2006 12:00 AM
Hi,
Q: Is there any way to get the MAC address of all the end nodes from the switch?
A: From the switch, issue command 'show arp' or 'show mac-address-table'.
Q: How can I provide access to network with know MAC address list? I have to prevent visitors plugging their laptop into our network.
A: So far, MAC address suthentication is only available for wireless AP only. But you can use feature called 802.1x (switch port authentication)
With this, any machine connected to your faceplate/network (which is connected to switchport enabled with 802.1x) will get authentication prompt. User need to use their own user ID & password. This will prevent anyone, including visitors to easily gain access to your network.
But to achieve this, you need authentication server like Cisco ACS. 802.1x uses radius authentication protocol. Enable aaa authentication your switch as well.
You can refer to the following links on how to configure 802.1x for access devices:
Other options are:
1. If you have VLAN, use ACL to filter MAC (without authentication server). You need to key-in all MACs.
switch(config)#mac access-list extended
switch(config-ext-macl)#?
Extended MAC Access List configuration commands:
default Set a command to its defaults
deny Specify packets to reject
exit Exit from MAC Named ACL configuration mode
no Negate a command or set its defaults
permit Specify packets to forward
switch(config-ext-macl)#permit host 1111.2222.3333 any
switch(config-ext-macl)#permit host 4444.5555.6666 host aaaa.bbbb.cccc
switch(config-ext-macl)#deny any any
2. Register all MACs in each individual port.
For smaller network, if you do not have authentcation/radius server, you probably can register mac addresses in the switchport, BUT this is a less-preferred solution. Imagine of you have 20 hosts and switch with 24-ports. You need to key in 20 times of MACS each port!
switch01#conf t
Enter configuration commands, one per line. End with CNTL/Z.
switch01#int fa1/10
switch01(config-if)#mac-address 0006.1BD9.597D
switch01(config-if)#mac-address 0006.1BD9.5971
switch01(config-if)#mac-address 0006.1BD9.5972
switch01(config-if)#end
switch01#
ACL range/ID for MAC:
<700-799> 48-bit MAC address access list
<1100-1199> Extended 48-bit MAC address access list
Rgds,
AK
06-05-2006 04:33 PM
I have catalyst 4006 switch with L3 module in slot 3 as show below. How can I find the arp table fron the switch? show arp does not display any MAC lsit.
SW01> (enable) show module
Mod Slot Ports Module-Type Model Fw Sw
--- ---- ----- ------------------------- --------------------------------------
1 1 2 1000BaseX Supervisor WS-X4013 5.4(1) 6.3(3)
2 2 6 1000BaseX Ethernet WS-X4306
3 3 34 Router Switch Card WS-X4232-L3 12.0(7)W5( 12.0(14)W5(20)
4 4 24 10/100/1000 Ethernet WS-X4424-GB-RJ45
Thanks
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: