Re: ISR4321 Support port-security?

CiscoPurpleBelt · ‎12-31-2020

I am trying to look for tech docs on this and can't find anything.

For my switchports on these ISRs, "switchport port-security..." on configured switchports is not an option.

can configure access-lists 700+ for 48-bit MACs but then I can't apply a ACL 700 up to one of the switchport interface, only the other types of ACLs.

Bridge-group not supported either. Any help?

balaji.bandi · ‎12-31-2020

Personally, i do not believe that has support on ISR model (even though L2 Module can be supported by ISR Models) - that command more on Switch.

what is the use case here?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CiscoPurpleBelt · ‎12-31-2020

Normal use case for port-security, don't want it easy for a different node to be connected. Im wondering if I can work around this and use maybe MAC ACL or something?

Georg Pauwen · ‎01-01-2021

Hello,

as far as I recall, on the EtherSwitch network interface modules, you can configure MAC address-based traffic blocking (see link below), that appears to be your only option.

https://www.cisco.com/c/en/us/td/docs/routers/access/interfaces/NIM/software/configuration/guide/4-8-port-ge-nim-guide.html#task_1096514

balaji.bandi · ‎01-01-2021

you can explore that option here - i have not tested, but you can try and let us know if that works for you.

mac access-list extended BB-MAC ( you can do other way around, allow interesting MAC and deny rest)
deny host aaaa.bbbb.cccc any
permit any any
!
interface gig x/x
mac access-group BB-MAC in

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

CiscoPurpleBelt · ‎01-04-2021

End user nodes are patched to switch module/ports.

paul driver · ‎01-01-2021

Hello

Rtrs should not be exposed to end users nonchalantly plugging into them unlike switchports on switches would be also rtr ports are mostly L3 ports anyway so i guess that’s one of the reasons why L2 port-security isn’t applicable on rtrs - even when a switch module is installed

Now if your rtr is that exposed then would suggest some physical security.

As for applying mac address acl to active rtr/switch module ports then if L3 ports are proxying then you’ll encounter problems.

if you have a switch module then i guess they won’t be connecting to a single host but connected to a switch so again mac acl may not be applicable.

As for any rtr if the port(s) are not being used then shut it down

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CiscoPurpleBelt · ‎01-04-2021

The router has a switching module with actual end hosts attached to them and/or its utilized for plugging in workstations, etc.

Looks like using a mac acl may be my best option for this.

Georg Pauwen · ‎01-04-2021

Just out of curiosity, can you actually apply MAC ACLs to these ports ? I did not see that in the command reference...

paul driver · ‎01-04-2021

Hello @Georg Pauwen

Most probably be an arp acl

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

CiscoPurpleBelt · ‎12-08-2021

The "mac address-table" syntex is not supported. Doesn't seem I have any options to create ACLs based on a MAC.

CiscoPurpleBelt · ‎12-08-2021

Actually it looks like access-list 700 is supported for 48-bit MAC. I am going to look into that.