VLAN Select - Interface dirty - Index based on Mac Address

Similar Messages

• Creating NAC remediation rules based on MAC address

  Hi All,
  Any idea please. Is it possible to control PCs allowed on the network based on MAC address list in NAC? I.e Create a list of MAC addresses for PCs on my network in NAC; then each pc granted network access (passed NAC authentication and remediation) on the network only if its MAC address is in that list.
  So my checks will be:
  1. Have antivirus updated
  2. Have antispyware updated
  3. Have windows updates installed
  4. Have MAC address registered in the MAC list
  5. etc.
  Then after the above checks pass --> GRANT network access.
  regards,
  Stanlaus.

  I have been doing some of this, and while it does provide some of the functionality that is lost without the ability to apply rules only to read messages, it is not a complete solution. One of the biggest drawbacks is that it is not easy to selectively limit what new mail shows up the smart mailbox. One approach that works, sort of, is to limit the smart mailbox to only messages from people in my address book. However, not all relevant messages are from people already in my mailbox, so it requires constantly double checking to make sure that things are slipping through the cracks.
  The best thing about being able to apply rules, after receiving them, based on the status of a message is that it puts the control in the users hands. It allows you to selectively apply rules, only when you want to apply them. Rather than always/never, you have the ability to apply rules "sometimes/as needed." It allows for fuzzy logic, rather than hard conditions.

• Tcl script to change access vlan based on MAC address

  Hello all.  I'm looking for some input on how best to handle this situation. I have a large nework with a lot of remote offices where we have limited control over users moving around patch cables. We're using vlan-based QoS in these office to mark voice, video, data. etc. The problem I'm having is that our users are moving video conferencing equipment to different interfaces on our swithes, which puts the VTC unit in a different vlan, fouling our QoS policy.  They then call and complain about poor video quality.
  I'm trying to come up with a way to automate putting the interface in the video vlan if a VTC unit is connected. All of our video conferencing units are from the same vendor, so they have same OUI in the MAC address. The script I've been working on looks for a line protocol up event, then checks to see what access vlan is configured on the interface. If the interface is already in the video vlan, the script exits.  if the interface is not in the video vlan, the script looks at the MAC address table for the interface and if the OUI matches a VTC unit, the script changes interface configuration. My question is, is there a better event to trigger script execution? Maybe a MAC notification trap, or something else? Line protocol transitions when the access vlan is changed, so the current script runs twice: once when the interface first comes up with a new connection, and again when the vlan is changed. 
  Script is attached.  Any help or advice is appreciated!

  Does your video equipment use CDP?  If so, then you can use the neighbor-discovery event detector to only react when you see a media endpoint being connected to a port.  Yes, MAC address notifications (the mat ED) can also work if you know the MACs of your media endpoints.

• VLAN Select (Interface groups) and Outdoor AP 1552

  Hi board,
  I'm just reading the 7.2 release configuration guide and found this:
  http://www.cisco.com/en/US/docs/wireless/controller/7.2/configuration/guide/cg_ports_interfaces.html#wp1384874
  Chapter VLAN Select - "Guidelines and Limitations"
  The following lightweight access points are  supported: Cisco Aironet 1120, 1230, 1130, 1040, 1140, 1240, 1250, 1260,  3500, 1522/1524 Access Points, and 800 Series access points
  Does anybody know if the 1552 outdoor AP (local mode) is supported with VLAN select? It's not listed in the config guide (as well as the 3600). I surely hope so :-)

  As long as the 1552 is in local mode, it has the same features as the other AP's listed and vlan select is one of them. If you change the role to bridge, then no.
  Sent from Cisco Technical Support iPhone App

• DHCP to send different Gateways based on MAC-Addresses

  Hello,
  I would like to use the built-in DHCP server to send out different Gateways based on the clients' MAC-Addresses.
  I have already managed to assign "static" IP-Adresses using the DHCP server to specific MAC-Adresses.
  Is this possible or do I need additional software ?
  thanks for your help

  The basic IP networking construct here is the IP subnet (and the subnet mask); that's how you set up groups of related network hosts in an IP network. Hosts within a subnet tend to have the same DNS and gateway router and related pieces configured, and one DHCP server and such. (That's not strictly necessary, but...)
  Launch Server Admin, select the DHCP service, set up subnets via the DHCP service by subnet mask, and establish DNS and default router settings there for each of the subnets.
  Then set up static maps for the MAC address(es) associated with the hosts, and drop the static IP addresses into the particular subnet you want the host associated with.
  You will want to leave room in the subnet for both the DHCP allocations (if any) and for the static hosts mapped into the subnet via MAC address.
  There well may be a better way here, but this will get you where you want. (And the Network Services Administration manual - which you'll need to read - does seem a bit confusing around this particular sequence.)
  nb: I don't have a "scratch" Leopard Server configuration handy to test and confirm this sequence.
  nb: Xserve boxes require a little extra thought, given each Xserve box tends to have four MAC addresses.

• IAS authentication with 200 series switches based on MAC addresses

  Hi,
  I try to implement a solution based on a 2003-Server with IAS and a switch (from the 200 series) just to authenticate machines with their MAC addresses.
  I think the config on the switch is ok but I'm facing questions about parameters to put in IAS...
  Can someone help me or give me a link to a good document that explains the 'how-to'?
  Many thanks

  I have just done some more testing.
  I added the authentication mac-move permit command to the switch and it now almost works as expected.
  The scenarios now are:
  Machine without dot1x supplicant plugged into phone, when unplugged the switch immediately deletes the mac address from the port.
  Machine with dot1x supplied plugged into phone, exactly the same.
  Machine without dot1x plugged directly into port exactly the same
  Machine with dot1x plugged directly into port exactly the same.
  The problem is if someone has a machine running a dot1x supplicant and hosting a VM.
  In that case as long as you move to a different port on the same switch it works fine (as the workstation reconnects the mac-move process works).
  If you move this machine from one switch to another with the IP phone installed. the de-auth message removes the VM or the host from the original switch mac table and leaves one of the old addresses behind.
  I suppose a solution would be to ban all VMs but that won't go down well.
  I don't want to change the authentication method as we will have machines without a supplicant that need to connect to resources (i.e. using mab)
  Thanks for your help (and a faster reply than my support company who still haven't rung me back).
  Giles

• User Control System based on MAC address?

  I wonder how can I make a user control system for my website based of visitor's computer's MAC addresses?
  Is it possible to get MAC address of visitors of my site in FLASH? If possible how?
  Thanks for reply in advance

  Not possible through flash player. You may advocate javascript approach and use it in combination with Flash.

• Duplicate MAC Addresses effect

  Hi All,
  I have a query regarding the entry of duplicate MAC entries in switch. I tried issuing the following command:-
  Switch(config)#mac address-table static 0007.e9f6.4fd2 vlan 1 interface fa0/2
  Switch(config)#mac address-table static 0007.e9f6.4fd2 vlan 1 interface fa0/3
  And after issuing the command, the resultant MAC table was as follows:-
  1 0007.e9f6.4fd1 STATIC Fa0/2 Fa0/3
  What does this signify. Where would a packet destined to this MAC address reach (I mean the port that it will reach)
  Does it mean that there could be Network Load Balancing?
  Thanks,
  Sridhar.

  HI
  It will reach to the port where the end system is connected.u just deifined the mac-address as static on two ports u will not connect the end system to two ports so on the port which u r end system will connected will be up/up and on the port which the end system is not connected it will be in down state.hope i am correct in this if not plz correct me.
  Thanks
  Mahmood

• Restrict vlan for mac address

  Hello sirs, I bought a sf300 48 and made 4 vlans.
  How can I restrict the mac address of device can be connect each vlan ? I just want allow the macs for vlan, dont need join the pc to a vlan.
  Thanks so much!

  Sorry for my bad eng, but I will try explain to you.
  I have 5 pcs on one vlan, this vlan is a security vlan for develop. I just want this computer can connect on this vlan. In the switch sf300 the 5 ports of sw is marked for this vlan. I want keep safe this ports for just the 5 mac address can connect on this.
  Understand?
  This is the translate of googole :
  I have a vlan that would have only 5 computers can connect them. Vlan This was made ​​from a 5-point networks directly connected to the switch. I would like to prevent just these 5 computers can connect the network cable that vlan through the mac.
  thanks!!!!

• How to find mac address with 10.7.2 on macbook air

  my dorm doesnt have wifi we r required to sumit our mac address in order to connect to use internet with internet cable
  i have an air with 10.7.2 and bought a ethernet adapter still can find my mac address.........plz help me

  Use the System Information. To get to this, go to the Apple menu, select About this Mac, and click the System Report button.
  In the left column go to Network and select Wifi. Under interfaces select en1 and look for the MAC address.
  Alternatively you can use System Preferences > Network > Wi-Fi > Advanced button > Hardware tab > MAC address.
  Best of luck.

• How to see mac address in IPS 4240 ???

  Hi all,
  How to see mac-address of inline-vlan-pair ?  and how to see mac-address of management interface in IPS ?
  Regards,
  Kiran

  Hello Kiran,
  The inline-vlan-pair itself is tied to a particular interface. So you're really asking for the MAC address of the interface associated with the inline-vlan-pair.
  The MAC address of sensing ports will be added to a "show interfaces" via CSCse84414. You can currently view the MAC address of sensing interfaces by doing an "ifconfig -a" from the service account.
  Thank you,
  Blayne Dreier
  Cisco TAC IDS Team
  **Please check out our Podcast**
  TAC Security Show: http://www.cisco.com/go/tacsecuritypodcast

• ACS V4.1 How to separate MAC addresses in an Authentication rule....?

  I'm configuring Agentless Authentication based om MAC addresses sendt from the access switch using MAB (MAC Authent. Bypass). I got it up and running, but with just one MAC address configured in the Authentication rule. When I try to configure more than one address in the rule, I get an error saying this is not a MAC address. How do you separate the MAC entries in the same Authentication rule. The doc says you can configure 10.000 addresses in one rule.

  The ACS can authenticate MAC addresses sent from an AP/Switch. A properly configured AP/Switch will attempt to authenticate a MAC address using Secure-PAP authentication with the ACS. The MAC addresses are entered into the ACS as users, with the username and password being the MAC address.
  1. From the ACS main menu, click on the USER SETUP button.
  2. In the USER text box, type the MAC address to add to the user database. Use no dashes, periods,
  or any other delimiter.
  At the USER SETUP screen, enter the MAC address in the SECURE-PAP PASSWORD text box.
  3.Click the SUBMIT button.
  Adding the AP/Switch to the ACS server
  1. From the ACS main menu click on the NETWORK CONFIGURATION button.
  2. Click on the ADD ENTRY button.
  3. Configure the DNS name of the AP, the IP address of the AP, the RADIUS shared secret and the
  Authentication method.
  4. Make sure to select RADIUS (Cisco Aironet) in the AUTHENTICATE USING drop down menu.
  5. To complete, click the SUBMIT+RESTART button.

• Facing issues on binding VFC to a MAC-Address on Nexus 5010

  Hello,
  After creating a VFC interface, I am binding it to Ethernet MAC-Address of the CNA. On the wireshark trace it is observed that the initiator is sending a VLAN request but there is no response from the switch hence no FLOGI is seen.
  Although when I bind the VFC to the ethernet interface, everything works well and the initiator logs into the switch. Is there a extra config that needs to be done while a VFC is bound to a MAC?
  Thanks,
  Somayajulu

  No other special configuration.. Just make sure the MAC address is correct one. If this interface connects to a single CNA/Server, you could just bind it to physical ethernet interface. Binding to a MAC address is needed only if you have multiple servers connected on the interface through a FIP snooping device.

• Cisco Aironet 1240 AG Access Point - configure Mac Address using Telnet

  Hi there,
  I’ve got a problem hopefully someone can help me with. I have the above mentioned AP and it is configured, working well and providing wireless access to several laptops on our domain.
  The thing is I can’t get access to the web-based interface to add new laptops Mac addresses to the AP as I currently have them secured with local list Mac address authentication but my user name and password when entered in the web browser login dialog box won’t allow me in although strangely it does allow me to login using the same credentials when I telnet into the AP.
  Does anyone know why I can’t get logged in using the web interface even though the user name and password does appear to be correct as I can telnet in? Also if you have any suggestions how I could sort this without having to perform the password recovery procedure, as I don’t want all the config on the AP wiped and want to avoid having the set the whole thing up again.
  As I workaround if anyone knows what the commands are to allow me to add the Mac addresses of the new laptops so they are added to the local list Mac address authentication list so the new laptops are secured that would be great.
  Thanks in anticipation,
  Tony

  Your AP is probably configured to use the enable secret as the password. Try entering nothing for the username, and enter your enable secret for the password ('Cisco' by default).
  If that doesn't work, post your running-config and we'll be able to see why it's doing that. It's a standard configuration, and no worries because wiping the AP won't be necessary since you can successfully Telnet in.
  Jeff

• Mac-Address Different format for Authorization on Cisco ISE

  Dear All,
  I have problem with my Cisco ISE,
  This is the design :
  ISE ---- Core Switch ---- 3Com Switch --- PC User
  My Case:
  Authorization is based on Mac-address and Active Directory,
  But user with PC that connect to 3Com swtich is Deny by ISE because the Format Mac-address is different with Cisco,
  Mac-address Cisco format :  XX:XX:XX:XX:XX:XX
  Mac-address 3Com format :  XXXX-XXXX-XXXX
  3Com Switch type is TRICOM 4210 26-PORT.
  Anyone have experience with this? and how change the mac-address format in 3Com so user can authorized by Cisco ISE.
  note:
  authorization based on Active Directory is not problem with 3Com Switch.
  Based on my experience, Different product is different format mac-address, so this case not only for 3Com Switch.
  Thanks,
  Arika Wahyono

  I do not think Cisco will add these vendors to the supported switch matrix because then it would be a support issue that cisco would have to deal with, much like most of the AD issues I experienced when I worked in TAC. Your best bet would be to run the evaluation license instance in a lab and have a 3com switch point against that.
  Other than that I do not recommend upgrading to 1.2 without validating that the new "multi-vendor" MAB support will work on your switch.
  PS- Keep in mind that my comments is just my opinion so you may need to open a TAC case for an official answer.
  Tarik Admani
  *Please rate helpful posts*