Re: [c-nsp] mac filter on switch
On Tue, 2017-05-23 at 19:23 +0200, james list wrote: > I tried the port-security feature with a fake mac address to see what > happens, port got "not connect" and I'm not able to recover. > > Could it be the device connected went in the same status ? It's an > old server... > > Any idea is appreciated. Output from "show interface " and "show run interface " might help. And the log lines sorrounding the event. Without any data, there's just guessing... Sound's like the port might have error-disabled, though that is normally a "disabled", not "not connected" state. -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac filter on switch
> 2017-05-23 17:01 GMT+02:00 Peter Rathlev: > > Maybe "switchport port-security" with static addresses will do what > > you want? On Tue, 2017-05-23 at 17:33 +0200, james list wrote: > it seems fine, do you have an idea if it's possible to use the mask > for the mac ? > > Something like: > > mac access-list extended secure-mac > permit 40aa.zz00. .00ff. any > > It seems I've to list all the mac address and is not possible to use > a mask. I convinced you cannot use masks with "switchport port-security". If you need more flexibility then a simple 802.1X implementation with a RADIUS-server is perhaps a solution. It's possible to have FreeRADIUS (and probably other RADIUS servers) use regular expressions to match the username/MAC address. It is of course more complex and leads to the switch being dependent on a reachable RADIUS-server... -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac filter on switch
I tried the port-security feature with a fake mac address to see what happens, port got "not connect" and I'm not able to recover. Could it be the device connected went in the same status ? It's an old server... Any idea is appreciated. Cheers James 2017-05-23 17:01 GMT+02:00 Peter Rathlev: > On Tue, 2017-05-23 at 15:22 +0200, james list wrote: > > I’ve a customer switch C3750 (12.2(35)), is there a way to permit on > > a specific port only a group of mac address which could generate > > traffic towards the switch ? > > > > I’ve tried mac acl but I do not get the expected result. > > MAC ACL only filters non-IP traffic, if I recall correctly. > > Maybe "switchport port-security" with static addresses will do what you > want? > > -- > Peter > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac filter on switch
Hi it seems fine, do you have an idea if it's possible to use the mask for the mac ? Something like: mac access-list extended secure-mac permit 40aa.zz00. .00ff. any It seems I've to list all the mac address and is not possible to use a mask. Cheers 2017-05-23 17:01 GMT+02:00 Peter Rathlev: > On Tue, 2017-05-23 at 15:22 +0200, james list wrote: > > I’ve a customer switch C3750 (12.2(35)), is there a way to permit on > > a specific port only a group of mac address which could generate > > traffic towards the switch ? > > > > I’ve tried mac acl but I do not get the expected result. > > MAC ACL only filters non-IP traffic, if I recall correctly. > > Maybe "switchport port-security" with static addresses will do what you > want? > > -- > Peter > ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
Re: [c-nsp] mac filter on switch
On Tue, 2017-05-23 at 15:22 +0200, james list wrote: > I’ve a customer switch C3750 (12.2(35)), is there a way to permit on > a specific port only a group of mac address which could generate > traffic towards the switch ? > > I’ve tried mac acl but I do not get the expected result. MAC ACL only filters non-IP traffic, if I recall correctly. Maybe "switchport port-security" with static addresses will do what you want? -- Peter ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
[c-nsp] mac filter on switch
Dear experts, I’ve a customer switch C3750 (12.2(35)), is there a way to permit on a specific port only a group of mac address which could generate traffic towards the switch ? I’ve tried mac acl but I do not get the expected result. Any idea, example or www reference is appreciated. Thanks in advance Cheers James ___ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/