Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8641
Views
13
Helpful
7
Replies

How to Prevent MAC Spoofing on catalyst switch 2960

Rajeev Ranjan
Level 1
Level 1

‎09-12-2011 10:27 PM - edited ‎03-07-2019 02:11 AM

Hi Friends,

In my organisation some people change its own mac-address to known mac-address which are permitted through pot security, and use restricted network resources. How can i prevent this type of unauthorized access on cisco catalyst 2960 switch.

Is there any way to bind ip and mac, both parameter should be checked for access.

Kindly Help

1 person had this problem
Labels:
0 Helpful
7 Replies 7

Leo Laohoo
Hall of Fame
Hall of Fame

‎09-12-2011 10:38 PM

Use Active Directory to lock out what each user can and cannot do. 

Somasundaram Jayaraman
Cisco Employee
Cisco Employee
In response to Leo Laohoo

‎09-12-2011 10:58 PM

Hi,

Can you try configuring mac-access-lists.

Sample config:

============

mac access-list extended MAC_ACL_MATCH_BADHOSTS

permit host any

permit any host

vlan access-map VLAN_ACCESSMAP_BLOCK_BADHOSTS 10

action drop

match mac address MAC_ACL_MATCH_BADHOSTS

vlan access-map VLAN_ACCESSMAP_BLOCK_BADHOSTS 20

action forward

vlan filter VLAN_ACCESSMAP_BLOCK_BADHOSTS vlan-list 4

useful link:

=========

- http://www.cisco.com/en/US/products/hw/switches/ps64/products_configuration_example09186a0080470c39.shtml

Hope this helps

Cheers

Somu

Rate helpful posts

Peter Paluch
Cisco Employee
Cisco Employee

‎09-12-2011 11:37 PM

Hi everyone,

As the 2960 Catalysts support DHCP Snooping, IP Source Guard and Dynamic ARP Inspection in recent IOSes, I would personally vouch for DHCP Snooping + IP Source Guard.

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_58_se/configuration/guide/swdhcp82.html

Best regards,

Peter

Rajeev Ranjan
Level 1
Level 1

‎09-13-2011 01:08 AM

HHi Peter,

I tried IP Source Guard, but my switch is not supporting ip verify source or ip verify source port-security command. I am using 12.2(37)SE1 image on 2960G platform.

0 Helpful

Peter Paluch
Cisco Employee
Cisco Employee
In response to Rajeev Ranjan

‎09-13-2011 01:21 AM

Hello,

The DHCP Snooping and IPSG should be supported since 12.2(52)SE. Are you able to upgrade to this or more recent IOS version?

Best regards,

Peter

Ghulam zainulabideen
Level 1
Level 1
In response to Peter Paluch

‎01-05-2014 08:38 PM

Dear Peter Paluch,

We are using Cisco 2960G Switches in my organisation with IOS version

"

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1)"

as this IOS not Support IP SOURCE GUARD feature....plz  tell me how can i download version 12.2(52)SE or any latest IOS. that can be upgrade and compatible with our 2960G Switches.

thanks in advance.

0 Helpful

devils_advocate
Level 7
Level 7
In response to Ghulam zainulabideen

‎01-06-2014 02:35 AM

As said by Peter, you need to be on 12.2(52)SE and yours is 12.2(44)SE6 so an IOS upgrade is needed on each switch you want to use these features on.

In order to get later IOS' you need a Cisco smartnet contract which costs money.

Technically you are supposed to have each switch covered to do an upgrade on each but in the real world you only need one covered to get the IOS. Bear in mind, if you only get one switch covered to get the IOS and then proceed to upgrade all of them, Cisco will only support the one under contract (outside of the standard year warranty you get anyway)

0 Helpful
Customers Also Viewed These Support Documents