cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2799
Views
10
Helpful
18
Replies

Switchport security 887VAG router

smith606306
Level 1
Level 1

I want to implement port security on one of the fastethernet ports on a Cisco 887VAG but the switchport port-security command is not available.

All i want is to bind a mac address to fastethernet 0, the only command that looks relevant is the 'switchport protected'.

Whats the best way to do this?

interface FastEthernet0

description  Printer

no ip address

end

router-new(config-if)#switchport ?

  access     Set access mode characteristics of the interface

  mode       Set trunking mode of the interface

  priority   Set 802.1p priorities

  protected  Configure an interface to be a protected port

  trunk      Set trunking characteristics of the interface

  voice      Voice appliance attributes

18 Replies 18

Collin Clark
VIP Alumni
VIP Alumni

Port Security is not available yet on these routers. Switchport protected will not provide what you are looking for. The only thing I can can think of is to create a MAC ACL and apply it to the port.

Hope it helps.

Thanks Colin

There does not seem to be an option to create a mac address ACl or am i missing something basic?

router-New(config)#access-list ?

  <1-99>            IP standard access list

  <100-199>         IP extended access list

  <1100-1199>       Extended 48-bit MAC address access list

  <1300-1999>       IP standard access list (expanded range)

  <200-299>         Protocol type-code access list

  <2000-2699>       IP extended access list (expanded range)

  <700-799>         48-bit MAC address access list

  dynamic-extended  Extend the dynamic ACL absolute timer

  rate-limit        Simple rate-limit specific access list

GRAWAN1-New(config)# access-list 101 permit ?

  <0-255>       An IP protocol number

  ahp           Authentication Header Protocol

  eigrp         Cisco's EIGRP routing protocol

  esp           Encapsulation Security Payload

  gre           Cisco's GRE tunneling

  icmp          Internet Control Message Protocol

  igmp          Internet Gateway Message Protocol

  ip            Any Internet Protocol

  ipinip        IP in IP tunneling

  nos           KA9Q NOS compatible IP over IP tunneling

  object-group  Service object group

  ospf          OSPF routing protocol

  pcp           Payload Compression Protocol

  pim           Protocol Independent Multicast

  sctp          Stream Control Transmission Protocol

  tcp           Transmission Control Protocol

  udp           User Datagram Protocol

Look at <700-799> :-)

Here's an example

access-list 700 permit 0050.56C0.0008 0000.0000.0000

I just found a command that may help. I'll see what selse I can find. You just want MAC auth correct?

RTR(config-if)#dot1x ?

  authenticator   Configure authenticator parameters

  default         Configure Dot1x with default values for this port

  max-reauth-req  Max No. of Reauthentication Attempts

  max-req         Max No. of Retries

  pae             Set 802.1x interface pae type

  timeout         Various Timeouts

Looks like we can do it with dot1x!

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_usr_aaa/configuration/15-2mt/sec-config-mab.html

Let me know if it helps or not.

Hi Collin,

Mac authentication bypass with dot1x is a working solution but he'll have to install a radius server for this to work.

Does the MAC ACL really filters ipv4 traffic? It doesn't on access switches but i'm not sure if the behaviour is the same on the switch module of the router.

Disabling dynamic mac learning and entering a static MAC  entry for the accepted host would be another solution but I'm not sure it is available on the switch module.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Leo Laohoo
Hall of Fame
Hall of Fame
All i want is to bind a mac address to fastethernet 0, the only command that looks relevant is the 'switchport protected'.

Filters Using MAC-Based ACLs

Hi Leo,

Isn't this feature only for the wireless part of the router ?

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

I created the access list but there seems to be no command to put it on to the interface.

router-New# sh access-list

Bridge address access list 700

    permit 0026.734b.80d0   0000.0000.0000

There is a mac-address command that manually sets the interface mac address but not sure wether that means the actual port or the device connected to it.

router-New(config-if)#? 

Interface configuration commands:

  aaa                 Authentication, Authorization and Accounting.

  arp                 Set arp type (arpa, probe, snap), timeout, log options or packet priority

  authentication      Auth Manager Interface Configuration Commands

  auto                Configure Automation

  backup              Modify backup parameters

  bandwidth           Set bandwidth informational parameter

  bfd                 BFD interface configuration commands

  bgp-policy          Apply policy propagated by bgp community string

  bridge-group        Transparent bridging interface parameters

  carrier-delay       Specify delay for interface transitions

  cdp                 CDP interface subcommands

  cmns                OSI CMNS

  content-scan        Content Scan the ingress traffic

  crypto              Encryption/Decryption commands

  dampening           Enable event dampening

  default             Set a command to its defaults

  delay               Specify interface throughput delay

  description         Interface specific description

  dot1q               dot1q interface configuration commands

  dot1x               Interface Config Commands for IEEE 802.1X

  duplex              Configure duplex operation.

  eou                 EAPoUDP Interface Configuration Commands

  ethernet            Ethernet interface parameters

  exit                Exit from interface configuration mode

  flow-sampler        Attach flow sampler to the interface

  help                Description of the interactive help system

  history             Interface history histograms - 60 second, 60 minute and 72 hour

  hold-queue          Set hold queue depth

  ip                  Interface Internet Protocol config commands

  iphc-profile        Configure IPHC profile

  keepalive           Enable keepalive

  l2protocol-tunnel   Tunnel Layer2 protocols

  llc2                LLC2 Interface Subcommands

  lldp                LLDP interface subcommands

  load-interval       Specify interval for load calculation for an interface

  logging             Configure logging for interface

  mab                 MAC Authentication Bypass Interface Config Commands

  mac-address         Manually set interface MAC address

  mace                Measurement Aggregation and Correlation Engine

  macro               Command macro

  metadata            Metadata Application

  mtu                 Set the interface Maximum Transmission Unit (MTU)

  netbios             Use a defined NETBIOS access list or enable name-caching

  no                  Negate a command or set its defaults

  ospfv3              OSPFv3 interface commands

  pppoe               pppoe interface subcommands

  pppoe-client        pppoe client

  rmon                Configure Remote Monitoring on an interface

  routing             Per-interface routing configuration

  service-policy      Configure CPL Service Policy

  shutdown            Shutdown the selected interface

  snapshot            Configure snapshot support on the interface

  snmp                Modify SNMP interface parameters

  source              Get config from another source

  spanning-tree       Spanning Tree Subsystem

  speed               Configure speed operation.

  srlg                Interface Shared Risk Link Group config commands

  storm-control       storm configuration

  switchport          Set switching mode characteristics

  timeout             Define timeout values for this interface

  topology            Configure routing topology on the interface

  transmit-interface  Assign a transmit interface to a receive-only interface

  tx-ring-limit       Configure PA level transmit ring limit

  user-group          Interface-User-group Association

  vrf                 VPN Routing/Forwarding parameters on the interface

  waas                WAN Optimization

  xconnect            Xconnect commands

  zone-member         Apply zone name

Hi,

In the Document provided by Leo you can see that this MAC ACL is bound to the AP part of the router not to the switching part.

As a workaround I think you should provide a static mapping in DHCP server to this device and then apply a port ACL inbound on the port denying this IP(provided we can  apply an ACL to L2 port on the switch module for this router).

Of course if adding a radius server and configuring it for mac authentication is not a problem for you then you can use the dot1x with mab solution that Collin proposed.

Regards

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Alain,

As its a statically assigned address i dont think the DHCP option will work. (we use QIP)

There doesnt appear to be any commands to apply an acl to the L2 Fa ports on the router.

There is no radius server.

I may just have to leave it unsecure

I don't see it how to apply it either, very strange.

Isn't this feature only for the wireless part of the router ?

Hello Alain,

You should be able to configure MAC-based ACL. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: