Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1545
Views
9
Helpful
3
Replies

MAC Address list

avilt
Level 3
Level 3

‎05-23-2006 10:53 PM - edited ‎03-09-2019 03:00 PM

I have a 200 node network. Is there any way to get the MAC address of all the end nodes from the switch? How can I provide access to network with know MAC address list? I have to prevent visitors plugging their laptop into our network.

Labels:
0 Helpful
3 Replies 3

a.giorgi
Level 1
Level 1

‎05-23-2006 11:36 PM

Hi avilt:

You can get all the mac address using the show mac-address-table command. It show you all the MAC address learned and the ports the PCs are connected.

To prevent unauthorized access you can use the port security features, but be aware of MAC address spoofing threat. See the following URL

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat5000/rel_5_4/config/sec_port.htm

Hope this help. Please rate if it does.

Alberto Giorgi from spain.

a.kiprawih
Level 7
Level 7

‎05-24-2006 12:00 AM

Hi,

Q: Is there any way to get the MAC address of all the end nodes from the switch?

A: From the switch, issue command 'show arp' or 'show mac-address-table'.

Q: How can I provide access to network with know MAC address list? I have to prevent visitors plugging their laptop into our network.

A: So far, MAC address suthentication is only available for wireless AP only. But you can use feature called 802.1x (switch port authentication)

With this, any machine connected to your faceplate/network (which is connected to switchport enabled with 802.1x) will get authentication prompt. User need to use their own user ID & password. This will prevent anyone, including visitors to easily gain access to your network.

But to achieve this, you need authentication server like Cisco ACS. 802.1x uses radius authentication protocol. Enable aaa authentication your switch as well.

You can refer to the following links on how to configure 802.1x for access devices:

Cat295x - http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde59.html

Cat35xx - http://www.cisco.com/en/US/products/hw/switches/ps5528/products_configuration_guide_chapter09186a00801e85c4.html

Cat45xx - http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddb8.html

Other options are:

1. If you have VLAN, use ACL to filter MAC (without authentication server). You need to key-in all MACs.

switch(config)#mac access-list extended

switch(config-ext-macl)#?

Extended MAC Access List configuration commands:

default Set a command to its defaults

deny Specify packets to reject

exit Exit from MAC Named ACL configuration mode

no Negate a command or set its defaults

permit Specify packets to forward

switch(config-ext-macl)#permit host 1111.2222.3333 any

switch(config-ext-macl)#permit host 4444.5555.6666 host aaaa.bbbb.cccc

switch(config-ext-macl)#deny any any

http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_example09186a0080470c39.shtml

2. Register all MACs in each individual port.

For smaller network, if you do not have authentcation/radius server, you probably can register mac addresses in the switchport, BUT this is a less-preferred solution. Imagine of you have 20 hosts and switch with 24-ports. You need to key in 20 times of MACS each port!

switch01#conf t

Enter configuration commands, one per line. End with CNTL/Z.

switch01#int fa1/10

switch01(config-if)#mac-address 0006.1BD9.597D

switch01(config-if)#mac-address 0006.1BD9.5971

switch01(config-if)#mac-address 0006.1BD9.5972

switch01(config-if)#end

switch01#

ACL range/ID for MAC:

<700-799> 48-bit MAC address access list

<1100-1199> Extended 48-bit MAC address access list

Rgds,

AK

avilt
Level 3
Level 3
In response to a.kiprawih

‎06-05-2006 04:33 PM

I have catalyst 4006 switch with L3 module in slot 3 as show below. How can I find the arp table fron the switch? show arp does not display any MAC lsit.

SW01> (enable) show module

Mod Slot Ports Module-Type Model Fw Sw

--- ---- ----- ------------------------- --------------------------------------

1 1 2 1000BaseX Supervisor WS-X4013 5.4(1) 6.3(3)

2 2 6 1000BaseX Ethernet WS-X4306

3 3 34 Router Switch Card WS-X4232-L3 12.0(7)W5( 12.0(14)W5(20)

4 4 24 10/100/1000 Ethernet WS-X4424-GB-RJ45

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents