Re: How to configure specific MAC addresses have access

savvas.ap · ‎03-09-2022

I'm in the process to configure cisco switch 3560 with a VoIP VLAN only and I want to specify a range of Mac addresses to allow access.

Leo Laohoo · ‎03-09-2022

No need.

If CUCM does not have the correct MAC address of the phones, the phones will not work.

savvas.ap · ‎03-09-2022

we do not use a cisco telephone device but 3rd party devices

Mero1 · ‎03-09-2022

Sure you can:

shows how to enable sticky port security on a port, to manually configure MAC addresses for data VLAN and voice VLAN, and to set the total maximum number of secure addresses to 20 (10 for data VLAN and 10 for voice VLAN).

Switch(config)# interface gigabitethernet0/1

Switch(config-if)# switchport access vlan 21

Switch(config-if)# switchport mode access

Switch(config-if)# switchport voice vlan 22

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 20

Switch(config-if)# switchport port-security violation restrict

Switch(config-if)# switchport port-security mac-address sticky

Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0002 (Data)

Switch(config-if)# switchport port-security mac-address 0000.0000.0003 (Data)

Switch(config-if)# switchport port-security mac-address sticky 0000.0000.0001 vlan voice

Switch(config-if)# switchport port-security mac-address 0000.0000.0004 vlan voice

Switch(config-if)# switchport port-security maximum 10 vlan access

Switch(config-if)# switchport port-security maximum 10 vlan voice

HTH

Leo Laohoo · ‎03-09-2022

Wow. That is a massively, insane, management intensive process and does not scale.

Imagine when the phones move around and ports change.

Better off putting those MAC address in the DHCP server.

Mero1 · ‎03-09-2022

As mentioned this switch use voip only, int range commands to add all trusted Mac to access ports. In dhcp You will add them manually too.In fact you secure all ports from untrusted MAC address. HTH

Leo Laohoo · ‎03-09-2022

@Mero1 wrote:

In dhcp You will add them manually too.

Agree, however, with DHCP reservation, the MAC addresses can move around different switch ports and different switches.

This particular method ties up the MAC address to a specific port and only to one switch. Works very well in micro- or small network.

savvas.ap · ‎03-10-2022

As mentioned the switch should have only VoIP VLAN and I want to secure the ports if a laptop device plug to the port to be blocked not able to ping the voip vlan or the voipvsercer at all.

Leo Laohoo · ‎03-10-2022

@savvas.ap wrote:

As mentioned the switch should have only VoIP VLAN and I want to secure the ports if a laptop device plug to the port to be blocked not able to ping the voip vlan or the voipvsercer at all.

You can micro-manage this by putting the laptop into a "restricted" VLAN that is not Trunked.

Once the laptop plugs in, it will not get an IP address.

If you want the laptop to get an IP address and not be able to "ping" the voice VLAN, then put an ACL.

If you do not want to put an ACL, then configure the phone so that the port to connect to the PC is disabled or get a VoIP phone without a PC port.

Like I said, you can micro-manage this to the nth degree. It is just a question of how much work you want to do it.

savvas.ap · ‎03-10-2022

appreciate your solution but I do not want to spend a lot of time because the switch will be sitting in an external office and need to have only telephone devices. That's why I want to minimize the risk if someone plugs a laptop to be restricted either if he/she add a static IP that a telephone device has.

Leo Laohoo · ‎03-10-2022

Laptops nowadays can spoof MAC addresses just as easy.

savvas.ap · ‎03-10-2022

what if I use MAC extended ACL's?