cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1427
Views
0
Helpful
4
Replies

Restricting Mac Addresses on 4500 Switch

sameermunj
Level 1
Level 1

Requirement

We want to permit certain mac addresses on the cat 4506 switch wherein only those mac addresses will get access to network.

Configuration Planned

For testing purpose we have created mac access list on cat 4506 and deny laptop mac address in this access list. The mac access group is applied to the port where the laptop is connected to cat 4506.Even after applying the mac access group on the port, the laptop is able to ping the vlan ip of cat 4506

Conf t

mac access-list extended test

deny   host 0021.9bde.e5b4 any (laptop mac with ip address 192.168.10.2/24)

exit

interface gi2/1

switchport mode access

switchport access vlan 10

mac access-group test in

interface vlan10

ip addesss 192.168.10.2 255.255.255.0

no shut

laptop with ip address 192.168.10.2/24 connected to port 2/1 is able to ping 192.168.10.1 even after applying the mac access-group

Note-we have tested same configuration on cat 3560 and its working fine. We apply the mac access-group command on interface and clear the arp-cache and we are not able to ping vlan interface ip. The moment we remove the mac access-group,ping starts again.

Kindly suggest if anything is missing in cat 4506 config (Sup6L-E and release 15.1)

Regards

Sameer

4 Replies 4

antonio.guirado
Level 3
Level 3

Hello,

Have you study port-security feature?.  Study this link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/31sga/configuration/guide/port_sec.html#wp1077713

The most nice feature is that you can set the max number of MAC and use the sticky option to autoconfigure the MACs

(you do not need type them one by one).

Let me know if you find this feature helpful.

Regards.

Hi

Let me put the requirement with more details.

on the access switch cat 4510,we want to restrcit laptop/desktop from only one vendor like HP..Other laptops from vendors like Dell/IBM should not get access on the network..As we can have more than 400 users ports on the switch,we were trying to explore the option of matching Mac addresses for the vendor Laptop for this restriction.

On the laptop/desktop mac address 24 bits belongs to vendor and remaining 24are unique to device.if we can match series of desktops with first 24 bits and match it on mac access lits for permit,it will be easier to achieve so we wanted to work on the option of matching mac access group on access port.

is it possible with the port secuirty options.probabaly this will need macthing individual mac addresses per port.

please suggest,.

Hello,

port security let you associate MAC to ports. Only frames with source MAC address in the list are allowed. You need

a more advanced feature but I have bad experiences filter based on macs. It only works with non-ip traffic.

I do not know any cisco feature that can do what you want. The only way I think is using some advanced DHCP server

where you can configure some feature to allow the vendor OUIs that you want. Using different pool in the DHCP server

let you then apply an l3 access-list to control where can access.

Regards.

Hi Team

I have done following setip in lab wherein treid with 2 laptops,one with dell and other with HP.The aim is to deny accees to HP laptop while access to Dell laptop will be allowed.Both laptops connected to port 2/1 & 2/3 and part of vlan 10 with ip address 192.168.10.1 while dell laptop ip as 192.168.10.2 & HP laptop ip as  192.168.10.3..i have tried follwoing 2 configurations

1=Mac access list directly applied to port 2/1 wherien only HP mac address is allowed an dell laptop is connected.Still dell laptop able to ping interface vlan 10 ip

mac access-list extended test

permit 0018.fe00.0000 0000.00ff.ffff any==HP mac address allowed

deny   any any

interface GigabitEthernet2/1==Dell laptop connected here

switchport access vlan 10

switchport mode access

mac access-group test in

2=In this case follwoing configuration is tried with dell laptop connected on 2/1 while hp laptop connected to 2/3

mac access-list extended test

permit host 0018.fe61.d1a2 any==HP laptop ip

!

vlan access-map test 10

match mac address test

action drop===access denies here for HP

vlan access-map test 20

action forward

!

vlan filter test vlan-list 1-4094===Applied to all vlans

interface GigabitEthernet2/1===Dell Laptop

switchport access vlan 10

switchport mode access

interface GigabitEthernet2/3===HP Laptop

switchport access vlan 10

switchport mode access

Both configurations are not working ...kindly suggest if any configuration mistake or this configuration wont achieve the aim

REgards

Sameer

Review Cisco Networking for a $25 gift card