05-15-2013 04:39 AM - edited 03-07-2019 01:21 PM
Requirement
We want to permit certain mac addresses on the cat 4506 switch wherein only those mac addresses will get access to network.
Configuration Planned
For testing purpose we have created mac access list on cat 4506 and deny laptop mac address in this access list. The mac access group is applied to the port where the laptop is connected to cat 4506.Even after applying the mac access group on the port, the laptop is able to ping the vlan ip of cat 4506
Conf t
mac access-list extended test
deny host 0021.9bde.e5b4 any (laptop mac with ip address 192.168.10.2/24)
exit
interface gi2/1
switchport mode access
switchport access vlan 10
mac access-group test in
interface vlan10
ip addesss 192.168.10.2 255.255.255.0
no shut
laptop with ip address 192.168.10.2/24 connected to port 2/1 is able to ping 192.168.10.1 even after applying the mac access-group
Note-we have tested same configuration on cat 3560 and its working fine. We apply the mac access-group command on interface and clear the arp-cache and we are not able to ping vlan interface ip. The moment we remove the mac access-group,ping starts again.
Kindly suggest if anything is missing in cat 4506 config (Sup6L-E and release 15.1)
Regards
Sameer
05-15-2013 05:53 AM
Hello,
Have you study port-security feature?. Study this link:
The most nice feature is that you can set the max number of MAC and use the sticky option to autoconfigure the MACs
(you do not need type them one by one).
Let me know if you find this feature helpful.
Regards.
05-15-2013 08:55 AM
Hi
Let me put the requirement with more details.
on the access switch cat 4510,we want to restrcit laptop/desktop from only one vendor like HP..Other laptops from vendors like Dell/IBM should not get access on the network..As we can have more than 400 users ports on the switch,we were trying to explore the option of matching Mac addresses for the vendor Laptop for this restriction.
On the laptop/desktop mac address 24 bits belongs to vendor and remaining 24are unique to device.if we can match series of desktops with first 24 bits and match it on mac access lits for permit,it will be easier to achieve so we wanted to work on the option of matching mac access group on access port.
is it possible with the port secuirty options.probabaly this will need macthing individual mac addresses per port.
please suggest,.
05-15-2013 10:01 AM
Hello,
port security let you associate MAC to ports. Only frames with source MAC address in the list are allowed. You need
a more advanced feature but I have bad experiences filter based on macs. It only works with non-ip traffic.
I do not know any cisco feature that can do what you want. The only way I think is using some advanced DHCP server
where you can configure some feature to allow the vendor OUIs that you want. Using different pool in the DHCP server
let you then apply an l3 access-list to control where can access.
Regards.
05-15-2013 11:11 PM
Hi Team
I have done following setip in lab wherein treid with 2 laptops,one with dell and other with HP.The aim is to deny accees to HP laptop while access to Dell laptop will be allowed.Both laptops connected to port 2/1 & 2/3 and part of vlan 10 with ip address 192.168.10.1 while dell laptop ip as 192.168.10.2 & HP laptop ip as 192.168.10.3..i have tried follwoing 2 configurations
1=Mac access list directly applied to port 2/1 wherien only HP mac address is allowed an dell laptop is connected.Still dell laptop able to ping interface vlan 10 ip
mac access-list extended test
permit 0018.fe00.0000 0000.00ff.ffff any==HP mac address allowed
deny any any
interface GigabitEthernet2/1==Dell laptop connected here
switchport access vlan 10
switchport mode access
mac access-group test in
2=In this case follwoing configuration is tried with dell laptop connected on 2/1 while hp laptop connected to 2/3
mac access-list extended test
permit host 0018.fe61.d1a2 any==HP laptop ip
!
vlan access-map test 10
match mac address test
action drop===access denies here for HP
vlan access-map test 20
action forward
!
vlan filter test vlan-list 1-4094===Applied to all vlans
interface GigabitEthernet2/1===Dell Laptop
switchport access vlan 10
switchport mode access
interface GigabitEthernet2/3===HP Laptop
switchport access vlan 10
switchport mode access
Both configurations are not working ...kindly suggest if any configuration mistake or this configuration wont achieve the aim
REgards
Sameer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide