I have several OS6450-10 switches out in the field. I am needing to lock these down so that only certain devices are allowed to link up, based off the MAC address. There are only 2-8 devices, depending on the location. Any device not on the ACL needs to be ignored. I have decided Radius is not the way to go, for various reasons.
What would be the quickest way to do this? I've done some reading on Port-Security, but have had issues trying to get it working.
Simple MAC Filter
Re: Simple MAC Filter
in this case there are two easy solutions: policy or vlan rule at mobile ports. With Portsecurity you fix the mac to specific ports.
1. Policy:
policy port group ACCESS ....
policy mac group MAC-OK ....
policy condition MAC-OK source port group ACCESS source mac group MAC-OK
policy condition MAC-NOK source port group ACCESS
policy action ALLOW
policy action DENY disposition ....
policy rule MAC-OK condition MAC-OK action ALLOW precedence 100
policy rule MAC-NOK condition MAC-NOK action DENY precedence 50
qos apply
OR 2:
vlan port mobile 1/1-8
vlan 99 name Quarantine
vlan 5 name Data
vlan 99 port default 1/1-8
vlan 5 mac ....
vlan 5 mac .... (for all the good MAC)
best regards
Silvio
1. Policy:
policy port group ACCESS ....
policy mac group MAC-OK ....
policy condition MAC-OK source port group ACCESS source mac group MAC-OK
policy condition MAC-NOK source port group ACCESS
policy action ALLOW
policy action DENY disposition ....
policy rule MAC-OK condition MAC-OK action ALLOW precedence 100
policy rule MAC-NOK condition MAC-NOK action DENY precedence 50
qos apply
OR 2:
vlan port mobile 1/1-8
vlan 99 name Quarantine
vlan 5 name Data
vlan 99 port default 1/1-8
vlan 5 mac ....
vlan 5 mac .... (for all the good MAC)
best regards
Silvio
Re: Simple MAC Filter
Exactly what I was needing. Thank you for your response (And sorry for my delay).
Re: Simple MAC Filter
I have another question, spawned from the original.
I implemented all mac filtering using the mobile port method. Worked exactly as I needed. However, I now would like to apply mac filtering to the primary switch, which feeds the access switch.
The access switches have three VLANs.
225 - Management
200 - Data
999 - Quarantine
Port 1/10 is serving as the trunk, 225/200 Q tagged, to the primary switch. I am MAC Filtering locally, all is well.
Port 1/10, on the access switch, runs to port 1/23, on the primary switch. On the primary switch, I would also like to MAC filter on port 1/23. If I only had a single VLAN on the access switch, this would be simple if I defaulted everything. I tested as much on my bench. However, being as I'm trunking/tagging two VLANs, it does not work as wanted.
Is possible to MAC filter on the primary switch when the two VLANs in question are Q tagged? As it sits right now, a rogue device could be inserted between the access switch and the primary switch, as the uplink is not filtered.
I implemented all mac filtering using the mobile port method. Worked exactly as I needed. However, I now would like to apply mac filtering to the primary switch, which feeds the access switch.
The access switches have three VLANs.
225 - Management
200 - Data
999 - Quarantine
Port 1/10 is serving as the trunk, 225/200 Q tagged, to the primary switch. I am MAC Filtering locally, all is well.
Port 1/10, on the access switch, runs to port 1/23, on the primary switch. On the primary switch, I would also like to MAC filter on port 1/23. If I only had a single VLAN on the access switch, this would be simple if I defaulted everything. I tested as much on my bench. However, being as I'm trunking/tagging two VLANs, it does not work as wanted.
Is possible to MAC filter on the primary switch when the two VLANs in question are Q tagged? As it sits right now, a rogue device could be inserted between the access switch and the primary switch, as the uplink is not filtered.
Re: Simple MAC Filter
At mobile ports tagging is not possible. You can make at your primary switch the port 1/23 mobile (without tagging) and keep the port 1/10 tagged. Than you need at the primary switch "vlan 225 mobile-tag enabled" (same for 200). But don't forgett that the access switch by itself has also a mac. I would suggesst not to do this way. The untagged vlan is 999. So every rouge client direct attached at port 1/23 is in vlan 999. That is okay. Also I think that there is a limit of the vlan-rule-mac commands. You need this for all the mac's at all attached switches and clients.... not a good idea.
best regards
Silvio
best regards
Silvio
Re: Simple MAC Filter
I am trying to get this working on my bench, just to get a feel for it. Without luck, though. I cannot get the mobile port to function correctly. I even took it down to just a single switch and started testing with my Fluke, with no luck.
I have a switch online and communicating on VLAN 50.
I have a switch online and communicating on VLAN 50.
- Mobile tagging is enabled, for VLAN 50
- Fluke is set to use vlan 50
- port 1/1 is default to VLAN 1 (Dead End) and set to Mobile: Fluke does not communicate
- Port 1/2 is statically tagged for VLAN 50: Fluke communicates as expected.
- port 1/1 will not dynamically assign to VLAN 50.
Re: Simple MAC Filter
I think there is an other problem... I have forgotten. Your access switch sends BPDU to the core (there at the mobile port). And if a mobile port receive a BPDU than the mobile function will be disabled. So this isn't possible at this way.
You can use port security with all your mac static configured.
You can use port security with all your mac static configured.
Re: Simple MAC Filter
I was able to find my aware around port security, and I think that will work just fine. I am having one hang-up, though. I will create a new thread, though.
Thank you very much for your assistance.
Thank you very much for your assistance.
-
- Member
- Posts: 2
- Joined: 21 May 2019 06:53
Re: Simple MAC Filter
At versatile ports labeling is preposterous. You can make at your essential switch the port 1/23 versatile (without labeling) and keep the port 1/10 labeled. Than you need at the essential switch "vlan 225 versatile tag empowered" (same for 200). In any case, don't forgett that the entrance switch independent from anyone else has additionally a macintosh. I would suggesst not to do along these lines. The untagged vlan is 999. So every rouge customer direct appended at port 1/23 is in vlan 999. That is alright. Likewise I believe that there is a point of confinement of the vlan-rule-macintosh directions. You need this for all the macintosh's at all appended switches and clients.... not a smart thought.