Cisco Port Security – List of Allowed MAC Addresses

ciscomac addressport-securityswitch

Want to be sure I'm approaching this correctly.

I want to have a list of allowed MACs that can access any switch company wide (these devices can plug into any switch and be allowed access).

To do this I would have a list of the MAC addresses and then programmatically apply this list to each switch's switch ports I have enabled for port security.

Is there a different or more efficient way of going about this?

Best Answer

Go for IEEE 802.1x Port-Based Authentication. Port security was not really designed for that.

HTH Adam

Related Solutions

Cisco – Centralized MAC address database for Cisco switches

I'm pretty sure you're thinking of 802.1x. You can use that to permit hosts based on MAC addresses.

This isn't the most secure way to authenticate hosts since spoofing a MAC address is fairly trivial and can be achieved with a single command, in most cases.

Cisco Catalyst 2960-X – Adding ACL Rule for L2TP Packet Filtering

There seems to be some confusion about this topic for you. Let's begin by clearing up a few details.

I am familiar with the mac access-list command but every manual I had seen explicitly says that ACLs filter only non-IP protocols.

If you think about this a bit, it makes sense. An IP packet doesn't contain a MAC addresses, so this would be difficult. However, IP traffic is encapsulated in a L2 protocol, typically Ethernet which does utilize MAC addresses.

You cannot apply named MAC extended ACLs to Layer 3 interfaces.

Again, this is natural. Since MAC ACLs function on L2, they wouldn't really need/want them on a L3 interface anyway.

However, by default interfaces on a 2960-X are layer 2 interfaces, so you can apply a MAC access-list to them.

So, this series of commands should provide the result you want (using the first SFP port on a WS-C2960X-48FPS-L so adjust as necessary):

! Create the ACL
mac access-list extended TestACL
deny host 8877.6655.4433 any
permit any any

! Now apply to the interface
interface Gi1/0/49
mac access-group TestACL in

Edit based on comments: if you want to rule out the source port being incorrect, you can use the following with the above ACL to block all traffic from that MAC going out the second SFP port:

! Now apply to the interface
interface Gi1/0/50
mac access-group TestACL out

If that doesn't work, then the MAC address has to be incorrect and you need to provide more information.

The ACL will work no matter if the MAC address table is updated dynamically or if you add a static entry. However, if the dynamic entry for this MAC is flapping between different ports, that could explain why the ACL didn't work as intended. Additionally, without additional features configured, the static entry will not have an effect on traffic arriving on a port, only on the destination port used for the traffic.

And finally, the packet being highlighted in red by Wireshark doesn't tell me much. Different versions of Wireshark have used different coloring rules, the default rules typically include a number of matches that get colored red, and many of us use our own custom rules. You would need to provide more detail or the actual capture for us to know what exactly that means.

Best Answer

Related Solutions

Cisco – Centralized MAC address database for Cisco switches

Cisco Catalyst 2960-X – Adding ACL Rule for L2TP Packet Filtering

Related Topic