Tuesday, May 24, 2005

Q: How do I restrict a switchport or VLAN to a list of valid MAC addresses?

A:
It looks like there are multiple methods and a lot of limitations. There's "port-security". This looks easiest to config. However, the switchport cannot be a trunk port, or a member of an etherchannel, so it can't be used at the core or distribution switch; it has to be applied on all of the access switches. There's another way: you create an extended mac access-list containing src-dest MAC address pairs you want to allow. Then there are two options: you could apply that access-list to all of the switch interfaces, or apply it to a VLAN. The mac access-list itself would look something like this: 
(c)#mac access-list extended myfriends
(c-e-m)#permit host 1234.5678.90AB any
(c-e-m)#permit host AB12.3456.7890 any
(c-e-m)#deny any any                
(c-e-m)#end
Note the deny any any. On testing I found that this type of access-list does not include an implicit deny. To apply it to an interface (you would have to do all interfaces on the switch to be fully protected) to the following: 
(c)#int ran f1/0/1 - 48 , f2/0/1 - 48
(c-i)#mac access-group myfriends in
Or, you create a vlan access-map with action forward for matches to that access list. Then you use the vlan filter command to apply that access-map to a VLAN or list of VLANs. 
(c)#vlan access-map wksta 10
(c-a-m)#match mac address myfriends
(c-a-m)#end

(c)#vlan filter wksta vlan-list 20-23,51
Here's another possibility: VMPS. One guy says: There is a tool I use called VMPS that is in with the IOS of every Cisco Switch. VMPS means VLAN Membership Policy Server. This is a text file that lives on my Linux box that one of my Primary VMPS Switches queries at the time I configured on it. Then, all my other switches ask the Primary switch for the same info (a lot faster since they have a gig link to my Primary and the VMPS file lives in RAM). Now, in that file, I can group what switches belong to a group or what MAC address belong to a group (i.e., accounting) and say that port 1-18 are only accessible for accounting. After some research, I have concluded that VMPS is a CATOS-only featrue, so doesn't apply to my situation.

[permalink]