08-26-2020 05:19 AM
Hello @All,
I have VLANs on my C2960 and I will like to control the access to my VLANs based on the MAC-Addresses. And except if I am wrong "Switch Port Security" might be a solution for me. The VLAN has 10 Users (10 PC's 10 MAC adresses).
The question is : how can I configure the interface range of this VLAN (runs from fa0/2-11) in such a way that only these 10 MAC addresses can have access to the VLAN, even when a host changes from (for example), fa0/2 to fa0/9 he should still have access because he belongs to the 10 MAC-Adresses.
Solved! Go to Solution.
08-26-2020 06:15 AM
Hello @Tenek85466 ,
see the following link about named extended MAC ACL
in your case each statement should have a specific MAC adddress as source and the any keyword for destination otherwise you would need to write all the possible combinations of source MAC / destination MAC.
Remember to include in the permitted MAC addresses the MAC address of the default gateway for the Vlan.
Hope to help
Giuseppe
08-26-2020 05:34 AM
You can try using sticky mac address ( bit manual work involved like example below ) - is that someting works ?
interface x/x or range
switchport port-security
switchport port-security maximum 10
switchport port-security mac-address sticky
switchport port-security violation shutdown <- if you like to shutdown
switchport port-security mac-address xxx.yyy.zzz
switchport port-security mac-address aaa.bbb.ccc -- so on up to 10.
08-26-2020 05:50 AM
08-26-2020 06:06 AM
Sorry it was not workes as expected.
can you explain what is not working, may be the range command can not going take i guess.
can you try adding the config each port with different 10MAC address, is that not allowed ?
08-26-2020 07:08 AM
I have this message error : Found duplicate mac-address
Here is the running config for 3 Hosts with the range fa0/2-4 :
interface FastEthernet0/2
switchport access vlan 70
switchport mode access
switchport port-security
switchport port-security maximum 3
switchport port-security mac-address 0001.C711.B26D
switchport port-security mac-address 000B.BEE0.D38A
switchport port-security mac-address 0090.2189.977A
!
interface FastEthernet0/3
switchport access vlan 70
switchport mode access
switchport port-security
switchport port-security maximum 3
!
interface FastEthernet0/4
switchport access vlan 70
switchport mode access
switchport port-security
switchport port-security maximum 3
Why are the other Ports (Fa/3-4) not listing the allowed MAC-Addresses ?
08-26-2020 07:50 AM
Hmm thats looks like Limitation and not allowed you MAC move. then you have Option of MAC ACL Bind to VLAN.
08-26-2020 05:42 AM
Hello @Tenek85466 ,
unfortunately Port Security does not provide the capability to associate a set of allowed MAC addresses to a range of ports.
In port security you configure each port on its own and you have two basic options:
a) you manually specify which MAC address can connect to the port
b) you configure an upper limit to the number of allowed MAC addresses learned on the port for example 3. This is handy for the installation of VOIP phones that provide an ethernet port for connecting a PC downstream of them.
You can use A MAC ACL applied inbound to specify which MAC addresses are allowed and then apply it all the ports in the range
This is probably the correct feature for what you would like to achieve.
Hope to help
Giuseppe
08-26-2020 05:49 AM
08-26-2020 06:15 AM
Hello @Tenek85466 ,
see the following link about named extended MAC ACL
in your case each statement should have a specific MAC adddress as source and the any keyword for destination otherwise you would need to write all the possible combinations of source MAC / destination MAC.
Remember to include in the permitted MAC addresses the MAC address of the default gateway for the Vlan.
Hope to help
Giuseppe
09-25-2020 03:37 AM
Hello @Giuseppe Larosa,
in the example below, I am trying to permit the host 6t3g.jk0a.0ggg to have access to the Network, but the contrary is happening .... even though I autorized him. Any solution ? Ps. All ports belongs to VLAN 1
mac access-list extended Test
permit host 6t3g.jk0a.0ggg any (The Host I want to permit)
permit host xxxx.xxxx.xxxx any (The Interface Vlan 1)
deny any any
interface FastEthernet0/1
mac access-group Test in
09-25-2020 05:00 AM
Hello @Tenek85466 ,
>> in the example below, I am trying to permit the host 6t3g.jk0a.0ggg to have access to the Network, but the contrary is happening ...
Do you mean that the specified MAC address is not permitted and filtered on the port fas0/1?
try to use this other formulation of the MAC ACL
mac access-list extended Test
permit host 6t3g.jk0a.0ggg any
there should be an implicit deny any.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide