35xx multiple ports, same MAC address

Question

Hi, I'm not good at english, or switches. Please be patience. We have a few 35xx switches, no VLANS or anything fancy setup, and three notebooks... On one switch we need on port 1, 3,  5,  7  ( wired to differend rooms ) with ONLY the three notebook MAC adress is to be allowed. My workaround was: setting up MAC filtering on port 1 for MAC adres 1, MAC address 2 and MAC address 3, then a cheap 8 port switch connected to port 1, and from that cheap switch i've made connections to the right outlets in the rooms. It worked.  Unfortunatly, the boss did not agree that it is a good workaround. I can block MAC adressen in a ACL, but I cannot Block all, and just allow MAC 1, MAC 2 and MAC 3 . Is there a setup for this, eighter in GUI or CLI ? Thanks.

cerbera_a84f2d · Answer

ACLs....if you write a permit rule for each of the MAC addresses, followed by a deny all, wouldn't that work??

permit any

Permit any

Deny any any

Second option....if you want to esnure that only the tree MAC addresses wil be allowed on ports 1,3 and 5, then you should be able to use Port Security.

This allows you to either learn the addresses on the ports, which you then lock, or statically configure the MAC addresses; you can choose to discard any non-compliant traffic, or shutdown the port.

Have a look at page 273 of the User Guide.

Third, , but more complex method, is to use MAC address authentication tied with authentication using RADIUS to a directory service....

HansCX500 · Answer

The problem is, so far, that when I use 1 MAC address on port 1, I cannot assign the same MAC address also to port 2 and 3

MAC 1 must have access on port 1, 3, 5,

MAC 2 must have access on port 1, 3, 5,

MAC 3 must have access on port 1, 3, 5,

I'm afraid I have to use Radius, but I know even less about Radius than I know about the 35xx

Your second option I've use on another of our 35xx switches, and that works fine. Multiple MAC's only access through that port, or just one MAC is allowed om that specific port.

I'll try the suggested ACL as soon as possible.......

Hans

DELL-Willy M · Answer

Have you tried using this set up from the GUI?

Where the Set Port is unlocked, then you have Limited Dynamic Lock chosen for a max of 3. It looks like this would allow the port to learn 3 addresses then lock. You would physically connect the three devices to each port and then it should not allow another addresses beyond the first three.

Hope this helps,

Keep us updated if you can.

HansCX500 · Answer

Sorry for the late answer, there more than just switches....

The solution with the Limited Dynamic Lock did not work.

Cerbera put me in the right direction

I have tried again to build an ACL

Command line:

configure

mac access-list note1

permit 00:01:01:01:01:01 ff:ff:ff:ff:ff:ff any

permit 00:02:02:02:02:02 ff:ff:ff:ff:ff:ff any

deny any any

end

This ACL I bind to a port e1 and to port e2

All traffic, other than the two MAc adresses is blocked.

And it will work for 3 MAC adressen too.

Then I tried to copy the same procedure to a 34xx..... just to find out that that switch does not have a 'permit' option.

Back to square 1

Hans

DELL-Willy M · Answer

Looks like the default config for Mac ACLs on the 34xx is permit all. I pulled this out of the User Guide page 91,92

http://support.dell.com/support/edocs/network/pc34xx/en/cli/pdf/CarrierCLI.zip

ACL Commands mac access-list

The mac access-list Global Configuration mode command creates Layer 2 ACLs. To delete an

ACL, use the no form of this command.

Syntax

mac access-list name

no mac access-list name

• name—Specifies the name of the ACL.

Default Configuration

The default for all ACLs is permit all.

Networking General

Was this post helpful?