Re: [c-nsp] mac filter on switch

2017-05-23 Thread Peter Rathlev 
On Tue, 2017-05-23 at 19:23 +0200, james list wrote:
> I tried the port-security feature with a fake mac address to see what
> happens, port got "not connect" and I'm not able to recover.
> 
> Could it be the device connected went in the same status ? It's an
> old server...
> 
> Any idea is appreciated.

Output from "show interface " and "show run interface " might
help. And the log lines sorrounding the event. Without any data,
there's just guessing...

Sound's like the port might have error-disabled, though that is
normally a "disabled", not "not connected" state.

-- 
Peter
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mac filter on switch

2017-05-23 Thread Peter Rathlev 
> 2017-05-23 17:01 GMT+02:00 Peter Rathlev :
> > Maybe "switchport port-security" with static addresses will do what
> > you want?

On Tue, 2017-05-23 at 17:33 +0200, james list wrote:
> it seems fine, do you have an idea if it's possible to use the mask
> for the mac ?
> 
> Something like:
> 
> mac access-list extended secure-mac
>  permit 40aa.zz00. .00ff. any
> 
> It seems I've to list all the mac address and is not possible to use
> a mask.

I convinced you cannot use masks with "switchport port-security".

If you need more flexibility then a simple 802.1X implementation with a
RADIUS-server is perhaps a solution. It's possible to have FreeRADIUS
(and probably other RADIUS servers) use regular expressions to match
the username/MAC address. It is of course more complex and leads to the
switch being dependent on a reachable RADIUS-server...

-- 
Peter

___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mac filter on switch

2017-05-23 Thread james list 
I tried the port-security feature with a fake mac address to see what
happens, port got "not connect" and I'm not able to recover.

Could it be the device connected went in the same status ? It's an old
server...

Any idea is appreciated.

Cheers
James



2017-05-23 17:01 GMT+02:00 Peter Rathlev :

> On Tue, 2017-05-23 at 15:22 +0200, james list wrote:
> > I’ve a customer switch C3750 (12.2(35)), is there a way to permit on
> > a specific port only a group of mac address which could generate
> > traffic towards the switch ?
> >
> > I’ve tried mac acl but I do not get the expected result.
>
> MAC ACL only filters non-IP traffic, if I recall correctly.
>
> Maybe "switchport port-security" with static addresses will do what you
> want?
>
> --
> Peter
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mac filter on switch

2017-05-23 Thread james list 
Hi
it seems fine, do you have an idea if it's possible to use the mask for the
mac ?

Something like:

mac access-list extended secure-mac
 permit 40aa.zz00. .00ff. any

It seems I've to list all the mac address and is not possible to use a mask.

Cheers

2017-05-23 17:01 GMT+02:00 Peter Rathlev :

> On Tue, 2017-05-23 at 15:22 +0200, james list wrote:
> > I’ve a customer switch C3750 (12.2(35)), is there a way to permit on
> > a specific port only a group of mac address which could generate
> > traffic towards the switch ?
> >
> > I’ve tried mac acl but I do not get the expected result.
>
> MAC ACL only filters non-IP traffic, if I recall correctly.
>
> Maybe "switchport port-security" with static addresses will do what you
> want?
>
> --
> Peter
>
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Re: [c-nsp] mac filter on switch

2017-05-23 Thread Peter Rathlev 
On Tue, 2017-05-23 at 15:22 +0200, james list wrote:
> I’ve a customer switch C3750 (12.2(35)), is there a way to permit on
> a specific port only a group of mac address which could generate
> traffic towards the switch ?
> 
> I’ve tried mac acl but I do not get the expected result.

MAC ACL only filters non-IP traffic, if I recall correctly.

Maybe "switchport port-security" with static addresses will do what you
want?

-- 
Peter
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

[c-nsp] mac filter on switch

2017-05-23 Thread james list 
Dear experts,

I’ve a customer switch C3750 (12.2(35)), is there a way to permit on a
specific port only a group of mac address which could generate traffic
towards the switch ?

I’ve tried mac acl but I do not get the expected result.

Any idea, example or www reference is appreciated.

Thanks in advance

Cheers

James
___
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/