Access Security Guide K/KA/KB.15.15
aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5
(for corporate ip phones)
aaa port-access local-mac profile “wlan-ap-prof” vlan untagged 10
tagged 12-14
(for WLAN APs)
2. Associate MACs to these profiles
aaa port-ac local-mac apply profile corp-switch-prof mac-oui 001080
aaa port-ac local-mac apply profile corp-pc-prof mac-addr
002622bba7ac
aaa port-ac local-mac apply profile rest-pc-prof mac-mask 002622bb/32
mac-mask 002622bc/32
aaa port-ac local-mac apply profile corp-phone-prof mac-oui 008011
aaa port-ac local-mac apply profile “wlan-ap-prof” mac-oui 008012
3. Configure guest VLAN
aaa port-ac local-mac <ports> unauth-vid 99
4. Enable LMA on ports
aaa port-ac local-mac <ports>
Configuration using mac-groups
1. Create 3 LMA profiles
aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2
(for corporate PCs)
aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3
(for the rest of PCs)
aaa port-access local-mac profile “corp-phone-prof” vlan tagged 5
(for phones)
2. Create 3 different mac-groups
aaa port-ac local-mac mac-group “corp-pc-grp” mac-addr 002622bba7ac
(for corporate PCs)
aaa port-ac local-mac mac-group “rest-pc-grp” mac-mask 002622bb/32
002622bc/32
(for the rest of PCs)
aaa port-ac local-mac mac-group “corp-phone-grp” mac-oui 008011
(for phones)
3. Associate groups to profiles
aaa port-ac local-mac apply profile corp-pc-prof mac-group
corp-pc-grp
aaa port-ac local-mac apply profile rest-pc-prof mac-group
rest-pc-grp
aaa port-ac local-mac apply profile corp-phone-prof mac-group
corp-phone-grp
4. Enable LMA on ports
aaa port-ac local-mac-auth <ports>
Configuration without using mac-groups
1. Create 3 LMA profiles
aaa port-access local-mac profile “corp-pc-prof” vlan untagged 2
(for corporate PCs)
aaa port-access local-mac profile “rest-pc-prof” vlan untagged 3
120 Local MAC Authentication