Solved: Re: Controlling access to VLANS

Tenek85466 · ‎08-26-2020

Hello @All,

I have VLANs on my C2960 and I will like to control the access to my VLANs based on the MAC-Addresses. And except if I am wrong "Switch Port Security" might be a solution for me. The VLAN has 10 Users (10 PC's 10 MAC adresses).

The question is : how can I configure the interface range of this VLAN (runs from fa0/2-11) in such a way that only these 10 MAC addresses can have access to the VLAN, even when a host changes from (for example), fa0/2 to fa0/9 he should still have access because he belongs to the 10 MAC-Adresses.

Giuseppe Larosa · ‎08-26-2020

Hello @Tenek85466 ,

see the following link about named extended MAC ACL

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_25_see/configuration/guide/scg_1/swacl.html#wp1289037

in your case each statement should have a specific MAC adddress as source and the any keyword for destination otherwise you would need to write all the possible combinations of source MAC / destination MAC.

Remember to include in the permitted MAC addresses the MAC address of the default gateway for the Vlan.

Hope to help

Giuseppe

View solution in original post

balaji.bandi · ‎08-26-2020

You can try using sticky mac address ( bit manual work involved like example below ) - is that someting works ?

interface x/x or range
switchport port-security
switchport port-security maximum 10
switchport port-security mac-address sticky
switchport port-security violation shutdown <- if you like to shutdown
switchport port-security mac-address xxx.yyy.zzz
switchport port-security mac-address aaa.bbb.ccc -- so on up to 10.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tenek85466 · ‎08-26-2020

I tried in PKT but I cannot set many MAC addresses to a range of ports.

balaji.bandi · ‎08-26-2020

Sorry it was not workes as expected.

can you explain what is not working, may be the range command can not going take i guess.

can you try adding the config each port with different 10MAC address, is that not allowed ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Tenek85466 · ‎08-26-2020

I have this message error : Found duplicate mac-address

Here is the running config for 3 Hosts with the range fa0/2-4 :

interface FastEthernet0/2

switchport access vlan 70

switchport mode access

switchport port-security

switchport port-security maximum 3

switchport port-security mac-address 0001.C711.B26D

switchport port-security mac-address 000B.BEE0.D38A

switchport port-security mac-address 0090.2189.977A

!

interface FastEthernet0/3

switchport access vlan 70

switchport mode access

switchport port-security

switchport port-security maximum 3

!

interface FastEthernet0/4

switchport access vlan 70

switchport mode access

switchport port-security

switchport port-security maximum 3

Why are the other Ports (Fa/3-4) not listing the allowed MAC-Addresses ?

balaji.bandi · ‎08-26-2020

Hmm thats looks like Limitation and not allowed you MAC move. then you have Option of MAC ACL Bind to VLAN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Giuseppe Larosa · ‎08-26-2020

Hello @Tenek85466 ,

unfortunately Port Security does not provide the capability to associate a set of allowed MAC addresses to a range of ports.

In port security you configure each port on its own and you have two basic options:

a) you manually specify which MAC address can connect to the port

b) you configure an upper limit to the number of allowed MAC addresses learned on the port for example 3. This is handy for the installation of VOIP phones that provide an ethernet port for connecting a PC downstream of them.

You can use A MAC ACL applied inbound to specify which MAC addresses are allowed and then apply it all the ports in the range

This is probably the correct feature for what you would like to achieve.

Hope to help

Giuseppe

Tenek85466 · ‎08-26-2020

Thank you very much @Giuseppe Larosa for your quick response. Can you please tell me more about the MAC ACL do you have any Documention/Link for such a purpose ?

Giuseppe Larosa · ‎08-26-2020

Hello @Tenek85466 ,

see the following link about named extended MAC ACL

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_25_see/configuration/guide/scg_1/swacl.html#wp1289037

in your case each statement should have a specific MAC adddress as source and the any keyword for destination otherwise you would need to write all the possible combinations of source MAC / destination MAC.

Remember to include in the permitted MAC addresses the MAC address of the default gateway for the Vlan.

Hope to help

Giuseppe

Tenek85466 · ‎09-25-2020

Hello @Giuseppe Larosa,

in the example below, I am trying to permit the host 6t3g.jk0a.0ggg to have access to the Network, but the contrary is happening .... even though I autorized him. Any solution ? Ps. All ports belongs to VLAN 1

mac access-list extended Test

permit host 6t3g.jk0a.0ggg any (The Host I want to permit)
permit host xxxx.xxxx.xxxx any (The Interface Vlan 1)
deny any any

interface FastEthernet0/1
mac access-group Test in

Giuseppe Larosa · ‎09-25-2020

Hello @Tenek85466 ,

>> in the example below, I am trying to permit the host 6t3g.jk0a.0ggg to have access to the Network, but the contrary is happening ...

Do you mean that the specified MAC address is not permitted and filtered on the port fas0/1?

try to use this other formulation of the MAC ACL

mac access-list extended Test

permit host 6t3g.jk0a.0ggg any

there should be an implicit deny any.

Hope to help

Giuseppe