11-25-2013 05:20 AM - edited 03-04-2019 09:40 PM
I want to implement port security on one of the fastethernet ports on a Cisco 887VAG but the switchport port-security command is not available.
All i want is to bind a mac address to fastethernet 0, the only command that looks relevant is the 'switchport protected'.
Whats the best way to do this?
interface FastEthernet0
description Printer
no ip address
end
router-new(config-if)#switchport ?
access Set access mode characteristics of the interface
mode Set trunking mode of the interface
priority Set 802.1p priorities
protected Configure an interface to be a protected port
trunk Set trunking characteristics of the interface
voice Voice appliance attributes
11-25-2013 08:40 AM
Port Security is not available yet on these routers. Switchport protected will not provide what you are looking for. The only thing I can can think of is to create a MAC ACL and apply it to the port.
Hope it helps.
11-25-2013 09:01 AM
Thanks Colin
There does not seem to be an option to create a mac address ACl or am i missing something basic?
router-New(config)#access-list ?
<1-99> IP standard access list
<100-199> IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299> Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799> 48-bit MAC address access list
dynamic-extended Extend the dynamic ACL absolute timer
rate-limit Simple rate-limit specific access list
GRAWAN1-New(config)# access-list 101 permit ?
<0-255> An IP protocol number
ahp Authentication Header Protocol
eigrp Cisco's EIGRP routing protocol
esp Encapsulation Security Payload
gre Cisco's GRE tunneling
icmp Internet Control Message Protocol
igmp Internet Gateway Message Protocol
ip Any Internet Protocol
ipinip IP in IP tunneling
nos KA9Q NOS compatible IP over IP tunneling
object-group Service object group
ospf OSPF routing protocol
pcp Payload Compression Protocol
pim Protocol Independent Multicast
sctp Stream Control Transmission Protocol
tcp Transmission Control Protocol
udp User Datagram Protocol
11-25-2013 09:10 AM
Look at <700-799> :-)
11-25-2013 09:15 AM
Here's an example
access-list 700 permit 0050.56C0.0008 0000.0000.0000
11-25-2013 09:20 AM
I just found a command that may help. I'll see what selse I can find. You just want MAC auth correct?
RTR(config-if)#dot1x ?
authenticator Configure authenticator parameters
default Configure Dot1x with default values for this port
max-reauth-req Max No. of Reauthentication Attempts
max-req Max No. of Retries
pae Set 802.1x interface pae type
timeout Various Timeouts
11-25-2013 09:25 AM
Looks like we can do it with dot1x!
http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html
Let me know if it helps or not.
11-25-2013 02:07 PM
Hi Collin,
Mac authentication bypass with dot1x is a working solution but he'll have to install a radius server for this to work.
Does the MAC ACL really filters ipv4 traffic? It doesn't on access switches but i'm not sure if the behaviour is the same on the switch module of the router.
Disabling dynamic mac learning and entering a static MAC entry for the accepted host would be another solution but I'm not sure it is available on the switch module.
Regards
Alain
Don't forget to rate helpful posts.
11-25-2013 02:10 PM
All i want is to bind a mac address to fastethernet 0, the only command that looks relevant is the 'switchport protected'.
11-25-2013 11:55 PM
Hi Leo,
Isn't this feature only for the wireless part of the router ?
Regards
Alain
Don't forget to rate helpful posts.
11-26-2013 12:43 AM
I created the access list but there seems to be no command to put it on to the interface.
router-New# sh access-list
Bridge address access list 700
permit 0026.734b.80d0 0000.0000.0000
There is a mac-address command that manually sets the interface mac address but not sure wether that means the actual port or the device connected to it.
router-New(config-if)#?
Interface configuration commands:
aaa Authentication, Authorization and Accounting.
arp Set arp type (arpa, probe, snap), timeout, log options or packet priority
authentication Auth Manager Interface Configuration Commands
auto Configure Automation
backup Modify backup parameters
bandwidth Set bandwidth informational parameter
bfd BFD interface configuration commands
bgp-policy Apply policy propagated by bgp community string
bridge-group Transparent bridging interface parameters
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
cmns OSI CMNS
content-scan Content Scan the ingress traffic
crypto Encryption/Decryption commands
dampening Enable event dampening
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
dot1q dot1q interface configuration commands
dot1x Interface Config Commands for IEEE 802.1X
duplex Configure duplex operation.
eou EAPoUDP Interface Configuration Commands
ethernet Ethernet interface parameters
exit Exit from interface configuration mode
flow-sampler Attach flow sampler to the interface
help Description of the interactive help system
history Interface history histograms - 60 second, 60 minute and 72 hour
hold-queue Set hold queue depth
ip Interface Internet Protocol config commands
iphc-profile Configure IPHC profile
keepalive Enable keepalive
l2protocol-tunnel Tunnel Layer2 protocols
llc2 LLC2 Interface Subcommands
lldp LLDP interface subcommands
load-interval Specify interval for load calculation for an interface
logging Configure logging for interface
mab MAC Authentication Bypass Interface Config Commands
mac-address Manually set interface MAC address
mace Measurement Aggregation and Correlation Engine
macro Command macro
metadata Metadata Application
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable name-caching
no Negate a command or set its defaults
ospfv3 OSPFv3 interface commands
pppoe pppoe interface subcommands
pppoe-client pppoe client
rmon Configure Remote Monitoring on an interface
routing Per-interface routing configuration
service-policy Configure CPL Service Policy
shutdown Shutdown the selected interface
snapshot Configure snapshot support on the interface
snmp Modify SNMP interface parameters
source Get config from another source
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
srlg Interface Shared Risk Link Group config commands
storm-control storm configuration
switchport Set switching mode characteristics
timeout Define timeout values for this interface
topology Configure routing topology on the interface
transmit-interface Assign a transmit interface to a receive-only interface
tx-ring-limit Configure PA level transmit ring limit
user-group Interface-User-group Association
vrf VPN Routing/Forwarding parameters on the interface
waas WAN Optimization
xconnect Xconnect commands
zone-member Apply zone name
11-26-2013 01:34 AM
Hi,
In the Document provided by Leo you can see that this MAC ACL is bound to the AP part of the router not to the switching part.
As a workaround I think you should provide a static mapping in DHCP server to this device and then apply a port ACL inbound on the port denying this IP(provided we can apply an ACL to L2 port on the switch module for this router).
Of course if adding a radius server and configuring it for mac authentication is not a problem for you then you can use the dot1x with mab solution that Collin proposed.
Regards
Alain
Don't forget to rate helpful posts.
11-26-2013 01:54 AM
Alain,
As its a statically assigned address i dont think the DHCP option will work. (we use QIP)
There doesnt appear to be any commands to apply an acl to the L2 Fa ports on the router.
There is no radius server.
I may just have to leave it unsecure
11-26-2013 06:44 AM
I don't see it how to apply it either, very strange.
11-26-2013 03:44 PM
Isn't this feature only for the wireless part of the router ?
Hello Alain,
You should be able to configure MAC-based ACL.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide