Re: Where's "mac-address-table secure" on newer Catalyst switches?




In article <4A9DA309.1000908@xxxxxxxxxxxxxx>, Tom Lowry <tlowry@xxxxxxxxxxxxxx
writes:

Look at 'port security' options for the 3560:

interface GigabitEthernet0/4
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address aaaa.bbbb.cccc

There are two mechanisms I need to be able to employ:

1) Arbitrarily block a MAC address everywhere on the LAN on a given VLAN

2) Only allow a MAC address on a specific port assigned to a given VLAN on
the LAN

Port security only helps in either case if all the ports for a given VLAN are
set as secure. Since many of our systems need to be moved from room to room
or are laptops (which are mobile by nature), we can't do that. In the version
of IOS that worked on the Catalyst 2900XL series, you could define a MAC
address as secure and assign it to a port/VLAN, but the port itself didn't
need to be secure. If that MAC address appeared on the port, it would be
allowed to pass traffic, but if the MAC address appeared anywhere else on the
LAN in the same VLAN, regardless of port security on the port to which it was
attached, access from that MAC address would be blocked. This is the behavior
I'm seeking on the newer Catalyst switches (3560 and/or 3750) but which has
apparently been dropped. I'm happy to be corrected, however.


On 8/31/2009 3:39 PM, Michael T. Davis wrote:
For the sake of context, you may assume that the mention of any VLAN
id in this discussion is maintained throughout the LAN in question. (We're
not dealing with a "private VLAN" or a VLAN maintained only on a subset of
switches on the LAN.)

We have a number of Catalyst 2900XL (EN) switches installed. One
command we make regular use of is...

# mac-address-table secure H.H.H fa0/N vlan V

When we specify this on one switch, the MAC address is essentially blocked
anywhere else on our LAN (for the given VLAN id). If this is set for a port
that isn't actually connected to anything on a single switch, the MAC
address
is basically blocked everywhere on the LAN.

I just checked a Catalyst 3560G-48PS and a Catalyst 3750G-24TS. The
command line completion mechanism on both switches seems to imply the
"secure"
form of the "mac-address-table" command is no longer available. (Both of
these
newer switches are running "IPBASE-M" variants of IOS.) I also checked the
online command line reference for the newest version(s) of IOS for these
switches. Finally, I checked the online "Command Lookup Tool for Cisco
IOS",
and it only says the "secure" form is available with Catalyst switches, but
doesn't qualify what models. The closest variant is...

# mac-address-table static H.H.H vlan V drop

Does this provide the same functionality as the "secure" form, or would it
need
to be specified on each switch in the LAN to be effective when we want to
drop
packets for a particular MAC address everywhere on the LAN? If we were to
set...

# mac-address-table static H.H.H vlan V interface INT

would this only allow the given MAC address on the port INT of the switch in
question, and block its use everywhere else on the LAN, as the "secure" form
did on the 2900XL series of switches?
[...]

Regards,
Mike
--
| Systems Specialist: CBE,MSE
Michael T. Davis (Mike) | Departmental Networking/Computing
http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
| 197 Watts, (614) 292-6928
** E-mail is the best way to contact me **
.



Relevant Pages

  • Help Optimizing my Growing LAN
    ... Dell 5324's (24 port GIGe Switches I bought to act as a fast ... Our web farm is on the DMZ/ VLAN 2, and all servers and clients in the ... Just clients all plugged into cheap switches (read: ... confining server to server traffic to one VLAN for speed. ...
    (comp.dcom.sys.cisco)
  • Re: Help Optimizing my Growing LAN
    ... Dell 5324's (24 port GIGe Switches I bought to act as a fast ... Our web farm is on the DMZ/ VLAN 2, and all servers and clients in the ... Just clients all plugged into cheap switches (read: ... confining server to server traffic to one VLAN for speed. ...
    (comp.dcom.sys.cisco)
  • Re: Static IP outside of router DHCP range
    ... Unfortunately my 8 clients are little $50 boxes with an Ethernet port and yellow, red, and white outputs for composite NTSC video and stereo audio, but no provisions whatsoever to flash their NVRAM. ... So I have no way to either reserve IP addresses based on Mac addresses, nor do I have a way to set them up as static. ... I still am wondering if my Netgear switches truly have any "memory" of the ports associated with specific IP addresses of the connected clients, as they have no reset or reboot function as far as I know. ...
    (alt.comp.hardware.pc-homebuilt)
  • Re: ROGUE APs at Work - How to locate them?!
    ... If you have the MAC address and you have ethernet switches that are smart ... MAC address, then you lookup that MAc address on the switches until you find ... the hardware port. ... network card in the PC could unplug the computer, ...
    (alt.internet.wireless)
  • Re: 2950 empty mac address table
    ... >>One other VLAN was configured, but no interfaces were bound to it. ... > for the attached switches all look correct? ... > and do the replies have the expected MAC? ... config and full mac tables. ...
    (comp.dcom.sys.cisco)