12-31-2020 10:55 AM - edited 12-08-2021 08:21 AM
I am trying to look for tech docs on this and can't find anything.
For my switchports on these ISRs, "switchport port-security..." on configured switchports is not an option.
can configure access-lists 700+ for 48-bit MACs but then I can't apply a ACL 700 up to one of the switchport interface, only the other types of ACLs.
Bridge-group not supported either. Any help?
12-31-2020 11:20 AM
Personally, i do not believe that has support on ISR model (even though L2 Module can be supported by ISR Models) - that command more on Switch.
what is the use case here?
12-31-2020 11:22 AM - edited 12-31-2020 11:23 AM
Normal use case for port-security, don't want it easy for a different node to be connected. Im wondering if I can work around this and use maybe MAC ACL or something?
01-01-2021 12:07 AM
Hello,
as far as I recall, on the EtherSwitch network interface modules, you can configure MAC address-based traffic blocking (see link below), that appears to be your only option.
01-01-2021 12:14 AM - edited 01-01-2021 12:26 AM
you can explore that option here - i have not tested, but you can try and let us know if that works for you.
mac access-list extended BB-MAC ( you can do other way around, allow interesting MAC and deny rest)
deny host aaaa.bbbb.cccc any
permit any any
!
interface gig x/x
mac access-group BB-MAC in
01-04-2021 05:43 AM
End user nodes are patched to switch module/ports.
01-01-2021 04:11 AM - edited 01-01-2021 10:09 AM
Hello
Rtrs should not be exposed to end users nonchalantly plugging into them unlike switchports on switches would be also rtr ports are mostly L3 ports anyway so i guess that’s one of the reasons why L2 port-security isn’t applicable on rtrs - even when a switch module is installed
Now if your rtr is that exposed then would suggest some physical security.
As for applying mac address acl to active rtr/switch module ports then if L3 ports are proxying then you’ll encounter problems.
if you have a switch module then i guess they won’t be connecting to a single host but connected to a switch so again mac acl may not be applicable.
As for any rtr if the port(s) are not being used then shut it down
01-04-2021 05:42 AM
The router has a switching module with actual end hosts attached to them and/or its utilized for plugging in workstations, etc.
Looks like using a mac acl may be my best option for this.
01-04-2021 06:35 AM
Just out of curiosity, can you actually apply MAC ACLs to these ports ? I did not see that in the command reference...
01-04-2021 06:40 AM
Hello @Georg Pauwen
Most probably be an arp acl
12-08-2021 07:50 AM
The "mac address-table" syntex is not supported. Doesn't seem I have any options to create ACLs based on a MAC.
12-08-2021 07:55 AM
Actually it looks like access-list 700 is supported for 48-bit MAC. I am going to look into that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide