MAC port security with diagnostic equipment

Unanswered Question
Apr 23rd, 2007
User Badges:

I have recently started to impliment MAC address based port security on 4507's. I can get the ports secure and everything is working fine however how do I handle having a diagnostic device on the port eventually?


I tried to use a statically assigned address for my fluke on every port but I get a message saying it's a duplicate. It seems like I'm not able to have the same MAC address allowed on more than 1 port, which makes sense. What can be done for test equipment though? I suppose I can remove the port security everytime I need to test a port but that seems rather tedious.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amit Singh Mon, 04/23/2007 - 09:13
User Badges:
  • Cisco Employee,

What is the configuration that you have done on the switchports.Have you done static mac-address config or sticky mac-address config on the switchports.


You can increase the MAX-MAC count to 2 on the switchports.By default the MAX mac count on the switchports is 1. Unless the mac-adress is statically configured on the switchport or learned through " dynamic sticky " method, the mac-address wipes out from the switchport the moment you disconnect the PC from the port.


http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31a/config/port_sec.htm#wp1074186


HTH,

-amit singh

ybajpai Mon, 04/23/2007 - 09:16
User Badges:

From the point of view of the Catalyst Switch, the diagnostic equipment is just any other host attempting to send traffic on that port.


If your diagnostic tool is a layer1 device then it most probably wont have any mac-address and will not send out "ethernet" packets (as they are at Data-link layer2). So it will not interfere with port security.


However, if your device is a layer2 tool sending/receiving ethernet packets then the switch is bound to complain about port security violations.


How about clearing the port security binding on that port with a clear port-security command? You can issue this command, do your testing, issue it again and connect the original host. that should do the trick!

Actions

This Discussion