06-23-2019 11:28 PM - edited 02-21-2020 11:07 AM
Hi Guys,
Is it possible to limit device movement using MAC address? In this case, I want to limit IP phone's movement. The definition of movement is, I want a certain IP phone to connect on a certain switch port. Let's say IP phone A can only connect to Switch A port 1, while IP phone B can only connect to Switch B port 10. IP phone will use voice VLAN while access VLAN also configured on the port, so any user can use the extension port on the back of the IP phone.
I already managed to limit the movement, but only on 1 switch. If I move those IP phones to different switch, the policy will not take effect. The question would be, can I do it centrally? So I do not have to adjust the configuration on every switch. The command would be a long one since I have more than 50 IP phones on deployment with more than 10 switches to be configured. Below is the example of my current command:
mac address-table static 1234.5678.ABCD vlan 10 int te3/0/13
mac address-table static ABCD.EFGH.1234 vlan 10 drop
Solved! Go to Solution.
06-24-2019 05:48 AM
Create two custom attributes; one for NAD IP and another for Interface name
Create Policy rule for MAB that uses following condition:
RADIUS:NAS-IP-Address(4) == ENDPOINT:NAD
&
RADIUS:NAS-Port-ID(87) == ENDPOINT:Interface
And assign voice domain permission
Above should be enough to lock-in the specific IP phones to specific NAD + Interface
Basic idea is same as the instructions in the following link:
06-24-2019 12:11 AM
Are you using RADIUS server like ISE or ACS? Using ISE/ACS will let you manage policy centrally regardless of where IP Phone connects.
06-24-2019 01:03 AM
Hi howon,
Yes, I'm using ISE v2.3.
From Live Log authentication detail, I saw switch name, switch IP address, and device mac address. But I did not see source port from the switch on the log detail. Can I also set the source port on ISE?
I'm thinking to define the incoming switch address on ISE, but I also set the MAC limitation on local switch, since I did not see any port-like attributes on ISE. Do you think this will work? I will be working on this idea on my environment.
06-24-2019 05:48 AM
Create two custom attributes; one for NAD IP and another for Interface name
Create Policy rule for MAB that uses following condition:
RADIUS:NAS-IP-Address(4) == ENDPOINT:NAD
&
RADIUS:NAS-Port-ID(87) == ENDPOINT:Interface
And assign voice domain permission
Above should be enough to lock-in the specific IP phones to specific NAD + Interface
Basic idea is same as the instructions in the following link:
06-24-2019 12:25 AM
Adding to other post
You have 2 options.
Option 1 , you need to have centralised identity system which can take care of the policies.
Option2. you need to do manually all over device(which is time consume for adding and removing)
My suggestion to have Option1 (look for option in the market)
06-24-2019 01:08 AM
Hi Balaji,
I have ISE 2.3 installed. On ISE, I should be working on Policy Sets menu, right? Or somewhere else?
06-24-2019 11:25 AM
follow the other post as suggested. let us know if you need any further assitance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide