Re: Question - Protected ports on 2950 switch

Discussion in 'Cisco' started by Terry Baranski, Jul 8, 2003.

  1. On Sun, 06 Jul 2003 17:59:09 GMT, (Norman
    Arsenault) wrote:

    >I have a Cisco 2950 48 port switch that I am setting up to use protected port.
    >I have a mobile PC that I want to give exclusive rights to 2 different port. I
    >setup the security on one port and add the MAC address to it. Works fine. When
    >I went to setup the second port, everything was fine until I went to add the
    >MAC address of the same PC. The IOS would not allow me to add the MAC address
    >to more that one port. The documentation supports this by saying a security
    >violation has occurred if a protected MAC address is seen on a different port.
    >
    >Is there a way around this? I want this mobile PC, and onl this PC, to have
    >access to the network from 2 different jack (depending where the user requires
    >it). I need to ensure that no other PC will have access through these ports.


    I think you're out of luck, as adding a static secure MAC address
    entry to a port creates a static CAM table entry mapping the MAC
    address to the port (do a 'show mac-address-table' to see). With this
    in mind, adding the same secure MAC address to two ports would result
    in multiple entries in the CAM table for that address, which
    essentially goes against the concept of switching/bridging.

    Your only hope here may be either VMPS or 802.1x.
     
    Terry Baranski, Jul 8, 2003
    #1
    1. Advertising

  2. Use the MAC ACL option incorporated in 2950 and 3550 switches. This
    moves away from the old violation standard and blocks the traffic just
    like an ACL.

    To apply the filter perform the following:

    mac access-list extended allow-MAC
    permit host xxxx.xxxx.xxxx any

    int fa0/1
    mac access-group allow-MAC in
    int fa0/2
    mac access-group allow-MAC in

    This will only allow the above MAC to access the ports where the ACL
    is applied.

    Please Note:

    The 2950 is limited in how many MAC addresses you can allow if you
    require a large number of MAC addresses in your ACL purchase a 3550.
    The 3550 has a TCAM option that permits up to 12,000 MAC entries.

    HTH,
    Matt

    Terry Baranski <> wrote in message news:<>...
    > On Sun, 06 Jul 2003 17:59:09 GMT, (Norman
    > Arsenault) wrote:
    >
    > >I have a Cisco 2950 48 port switch that I am setting up to use protected port.
    > >I have a mobile PC that I want to give exclusive rights to 2 different port. I
    > >setup the security on one port and add the MAC address to it. Works fine. When
    > >I went to setup the second port, everything was fine until I went to add the
    > >MAC address of the same PC. The IOS would not allow me to add the MAC address
    > >to more that one port. The documentation supports this by saying a security
    > >violation has occurred if a protected MAC address is seen on a different port.
    > >
    > >Is there a way around this? I want this mobile PC, and onl this PC, to have
    > >access to the network from 2 different jack (depending where the user requires
    > >it). I need to ensure that no other PC will have access through these ports.

    >
    > I think you're out of luck, as adding a static secure MAC address
    > entry to a port creates a static CAM table entry mapping the MAC
    > address to the port (do a 'show mac-address-table' to see). With this
    > in mind, adding the same secure MAC address to two ports would result
    > in multiple entries in the CAM table for that address, which
    > essentially goes against the concept of switching/bridging.
    >
    > Your only hope here may be either VMPS or 802.1x.
     
    Matthew Higginbotham, Jul 8, 2003
    #2
    1. Advertising

  3. On 7 Jul 2003 23:01:32 -0700, (Matthew Higginbotham)
    wrote:

    >Use the MAC ACL option incorporated in 2950 and 3550 switches. This
    >moves away from the old violation standard and blocks the traffic just
    >like an ACL.


    Do MAC access lists block IP traffic now? Up until very recently, MAC
    access lists were for non-IP traffic only. I haven't checked in the
    last couple months to see if this is still the case.

    >To apply the filter perform the following:
    >
    >mac access-list extended allow-MAC
    >permit host xxxx.xxxx.xxxx any
    >
    >int fa0/1
    >mac access-group allow-MAC in
    >int fa0/2
    >mac access-group allow-MAC in
    >
    >This will only allow the above MAC to access the ports where the ACL
    >is applied.
    >
    >Please Note:
    >
    >The 2950 is limited in how many MAC addresses you can allow if you
    >require a large number of MAC addresses in your ACL purchase a 3550.
    >The 3550 has a TCAM option that permits up to 12,000 MAC entries.
    >
    >HTH,
    >Matt
    >
    >Terry Baranski <> wrote in message news:<>...
    >> On Sun, 06 Jul 2003 17:59:09 GMT, (Norman
    >> Arsenault) wrote:
    >>
    >> >I have a Cisco 2950 48 port switch that I am setting up to use protected port.
    >> >I have a mobile PC that I want to give exclusive rights to 2 different port. I
    >> >setup the security on one port and add the MAC address to it. Works fine. When
    >> >I went to setup the second port, everything was fine until I went to add the
    >> >MAC address of the same PC. The IOS would not allow me to add the MAC address
    >> >to more that one port. The documentation supports this by saying a security
    >> >violation has occurred if a protected MAC address is seen on a different port.
    >> >
    >> >Is there a way around this? I want this mobile PC, and onl this PC, to have
    >> >access to the network from 2 different jack (depending where the user requires
    >> >it). I need to ensure that no other PC will have access through these ports.

    >>
    >> I think you're out of luck, as adding a static secure MAC address
    >> entry to a port creates a static CAM table entry mapping the MAC
    >> address to the port (do a 'show mac-address-table' to see). With this
    >> in mind, adding the same secure MAC address to two ports would result
    >> in multiple entries in the CAM table for that address, which
    >> essentially goes against the concept of switching/bridging.
    >>
    >> Your only hope here may be either VMPS or 802.1x.
     
    Terry Baranski, Jul 9, 2003
    #3
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. hari
    Replies:
    0
    Views:
    603
  2. Tacobell
    Replies:
    5
    Views:
    4,375
  3. Philip
    Replies:
    0
    Views:
    462
    Philip
    Mar 29, 2007
  4. STandard

    2950 switch to switch question

    STandard, Jul 18, 2007, in forum: Cisco
    Replies:
    4
    Views:
    656
    Trendkill
    Jul 19, 2007
  5. DeanR
    Replies:
    1
    Views:
    757
    donjohnston
    Nov 23, 2009
Loading...

Share This Page