Simple MAC Filter

[dstrait]

I have several OS6450-10 switches out in the field. I am needing to lock these down so that only certain devices are allowed to link up, based off the MAC address. There are only 2-8 devices, depending on the location. Any device not on the ACL needs to be ignored. I have decided Radius is not the way to go, for various reasons.

What would be the quickest way to do this? I've done some reading on Port-Security, but have had issues trying to get it working.

[silvio]

in this case there are two easy solutions: policy or vlan rule at mobile ports. With Portsecurity you fix the mac to specific ports.

1. Policy:
policy port group ACCESS ....
policy mac group MAC-OK ....
policy condition MAC-OK source port group ACCESS source mac group MAC-OK
policy condition MAC-NOK source port group ACCESS
policy action ALLOW
policy action DENY disposition ....
policy rule MAC-OK condition MAC-OK action ALLOW precedence 100
policy rule MAC-NOK condition MAC-NOK action DENY precedence 50
qos apply
OR 2:
vlan port mobile 1/1-8
vlan 99 name Quarantine
vlan 5 name Data
vlan 99 port default 1/1-8
vlan 5 mac ....
vlan 5 mac .... (for all the good MAC)

best regards
Silvio

[dstrait]

Exactly what I was needing. Thank you for your response (And sorry for my delay).

[dstrait]

I have another question, spawned from the original.

I implemented all mac filtering using the mobile port method. Worked exactly as I needed. However, I now would like to apply mac filtering to the primary switch, which feeds the access switch.

The access switches have three VLANs.
225 - Management
200 - Data
999 - Quarantine

Port 1/10 is serving as the trunk, 225/200 Q tagged, to the primary switch. I am MAC Filtering locally, all is well.

Port 1/10, on the access switch, runs to port 1/23, on the primary switch. On the primary switch, I would also like to MAC filter on port 1/23. If I only had a single VLAN on the access switch, this would be simple if I defaulted everything. I tested as much on my bench. However, being as I'm trunking/tagging two VLANs, it does not work as wanted.

Is possible to MAC filter on the primary switch when the two VLANs in question are Q tagged? As it sits right now, a rogue device could be inserted between the access switch and the primary switch, as the uplink is not filtered.

[silvio]

At mobile ports tagging is not possible. You can make at your primary switch the port 1/23 mobile (without tagging) and keep the port 1/10 tagged. Than you need at the primary switch "vlan 225 mobile-tag enabled" (same for 200). But don't forgett that the access switch by itself has also a mac. I would suggesst not to do this way. The untagged vlan is 999. So every rouge client direct attached at port 1/23 is in vlan 999. That is okay. Also I think that there is a limit of the vlan-rule-mac commands. You need this for all the mac's at all attached switches and clients.... not a good idea.
best regards
Silvio

[dstrait]

I am trying to get this working on my bench, just to get a feel for it. Without luck, though. I cannot get the mobile port to function correctly. I even took it down to just a single switch and started testing with my Fluke, with no luck.

I have a switch online and communicating on VLAN 50.

• Mobile tagging is enabled, for VLAN 50

• Fluke is set to use vlan 50

• port 1/1 is default to VLAN 1 (Dead End) and set to Mobile: Fluke does not communicate

• Port 1/2 is statically tagged for VLAN 50: Fluke communicates as expected.

• port 1/1 will not dynamically assign to VLAN 50.

Am I missing something simple?

[silvio]

I think there is an other problem... I have forgotten. Your access switch sends BPDU to the core (there at the mobile port). And if a mobile port receive a BPDU than the mobile function will be disabled. So this isn't possible at this way.
You can use port security with all your mac static configured.

[dstrait]

I was able to find my aware around port security, and I think that will work just fine. I am having one hang-up, though. I will create a new thread, though.

Thank you very much for your assistance.

[kiran sahu]

At versatile ports labeling is preposterous. You can make at your essential switch the port 1/23 versatile (without labeling) and keep the port 1/10 labeled. Than you need at the essential switch "vlan 225 versatile tag empowered" (same for 200). In any case, don't forgett that the entrance switch independent from anyone else has additionally a macintosh. I would suggesst not to do along these lines. The untagged vlan is 999. So every rouge customer direct appended at port 1/23 is in vlan 999. That is alright. Likewise I believe that there is a point of confinement of the vlan-rule-macintosh directions. You need this for all the macintosh's at all appended switches and clients.... not a smart thought.