Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: Question - Protected ports on 2950 switch

Reply
Thread Tools

Re: Question - Protected ports on 2950 switch

 
 
Terry Baranski
Guest
Posts: n/a
 
      07-08-2003
On Sun, 06 Jul 2003 17:59:09 GMT, http://www.velocityreviews.com/forums/(E-Mail Removed) (Norman
Arsenault) wrote:

>I have a Cisco 2950 48 port switch that I am setting up to use protected port.
>I have a mobile PC that I want to give exclusive rights to 2 different port. I
>setup the security on one port and add the MAC address to it. Works fine. When
>I went to setup the second port, everything was fine until I went to add the
>MAC address of the same PC. The IOS would not allow me to add the MAC address
>to more that one port. The documentation supports this by saying a security
>violation has occurred if a protected MAC address is seen on a different port.
>
>Is there a way around this? I want this mobile PC, and onl this PC, to have
>access to the network from 2 different jack (depending where the user requires
>it). I need to ensure that no other PC will have access through these ports.


I think you're out of luck, as adding a static secure MAC address
entry to a port creates a static CAM table entry mapping the MAC
address to the port (do a 'show mac-address-table' to see). With this
in mind, adding the same secure MAC address to two ports would result
in multiple entries in the CAM table for that address, which
essentially goes against the concept of switching/bridging.

Your only hope here may be either VMPS or 802.1x.
 
Reply With Quote
 
 
 
 
Matthew Higginbotham
Guest
Posts: n/a
 
      07-08-2003
Use the MAC ACL option incorporated in 2950 and 3550 switches. This
moves away from the old violation standard and blocks the traffic just
like an ACL.

To apply the filter perform the following:

mac access-list extended allow-MAC
permit host xxxx.xxxx.xxxx any

int fa0/1
mac access-group allow-MAC in
int fa0/2
mac access-group allow-MAC in

This will only allow the above MAC to access the ports where the ACL
is applied.

Please Note:

The 2950 is limited in how many MAC addresses you can allow if you
require a large number of MAC addresses in your ACL purchase a 3550.
The 3550 has a TCAM option that permits up to 12,000 MAC entries.

HTH,
Matt

Terry Baranski <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
> On Sun, 06 Jul 2003 17:59:09 GMT, (E-Mail Removed) (Norman
> Arsenault) wrote:
>
> >I have a Cisco 2950 48 port switch that I am setting up to use protected port.
> >I have a mobile PC that I want to give exclusive rights to 2 different port. I
> >setup the security on one port and add the MAC address to it. Works fine. When
> >I went to setup the second port, everything was fine until I went to add the
> >MAC address of the same PC. The IOS would not allow me to add the MAC address
> >to more that one port. The documentation supports this by saying a security
> >violation has occurred if a protected MAC address is seen on a different port.
> >
> >Is there a way around this? I want this mobile PC, and onl this PC, to have
> >access to the network from 2 different jack (depending where the user requires
> >it). I need to ensure that no other PC will have access through these ports.

>
> I think you're out of luck, as adding a static secure MAC address
> entry to a port creates a static CAM table entry mapping the MAC
> address to the port (do a 'show mac-address-table' to see). With this
> in mind, adding the same secure MAC address to two ports would result
> in multiple entries in the CAM table for that address, which
> essentially goes against the concept of switching/bridging.
>
> Your only hope here may be either VMPS or 802.1x.

 
Reply With Quote
 
 
 
 
Terry Baranski
Guest
Posts: n/a
 
      07-09-2003
On 7 Jul 2003 23:01:32 -0700, (E-Mail Removed) (Matthew Higginbotham)
wrote:

>Use the MAC ACL option incorporated in 2950 and 3550 switches. This
>moves away from the old violation standard and blocks the traffic just
>like an ACL.


Do MAC access lists block IP traffic now? Up until very recently, MAC
access lists were for non-IP traffic only. I haven't checked in the
last couple months to see if this is still the case.

>To apply the filter perform the following:
>
>mac access-list extended allow-MAC
>permit host xxxx.xxxx.xxxx any
>
>int fa0/1
>mac access-group allow-MAC in
>int fa0/2
>mac access-group allow-MAC in
>
>This will only allow the above MAC to access the ports where the ACL
>is applied.
>
>Please Note:
>
>The 2950 is limited in how many MAC addresses you can allow if you
>require a large number of MAC addresses in your ACL purchase a 3550.
>The 3550 has a TCAM option that permits up to 12,000 MAC entries.
>
>HTH,
>Matt
>
>Terry Baranski <(E-Mail Removed)> wrote in message news:<(E-Mail Removed)>. ..
>> On Sun, 06 Jul 2003 17:59:09 GMT, (E-Mail Removed) (Norman
>> Arsenault) wrote:
>>
>> >I have a Cisco 2950 48 port switch that I am setting up to use protected port.
>> >I have a mobile PC that I want to give exclusive rights to 2 different port. I
>> >setup the security on one port and add the MAC address to it. Works fine. When
>> >I went to setup the second port, everything was fine until I went to add the
>> >MAC address of the same PC. The IOS would not allow me to add the MAC address
>> >to more that one port. The documentation supports this by saying a security
>> >violation has occurred if a protected MAC address is seen on a different port.
>> >
>> >Is there a way around this? I want this mobile PC, and onl this PC, to have
>> >access to the network from 2 different jack (depending where the user requires
>> >it). I need to ensure that no other PC will have access through these ports.

>>
>> I think you're out of luck, as adding a static secure MAC address
>> entry to a port creates a static CAM table entry mapping the MAC
>> address to the port (do a 'show mac-address-table' to see). With this
>> in mind, adding the same secure MAC address to two ports would result
>> in multiple entries in the CAM table for that address, which
>> essentially goes against the concept of switching/bridging.
>>
>> Your only hope here may be either VMPS or 802.1x.


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Can the Command Switch Show 48-Ports? 2950 DeanR Cisco 1 11-23-2009 01:50 PM
2950 switch to switch question STandard Cisco 4 07-19-2007 02:34 PM
Protected Ports Multi Switch Interaction Philip Cisco 0 03-29-2007 10:36 PM
differnce between a 2950 xl and a 2950 Cisco switch? Tacobell Cisco 5 03-13-2007 07:18 AM
protecting ports from DoS attack on cisco 2950 Switch hari Cisco 0 12-01-2004 12:50 PM



Advertisments