MAC port security with diagnostic equipment

rolandshum · ‎04-23-2007

I have recently started to impliment MAC address based port security on 4507's. I can get the ports secure and everything is working fine however how do I handle having a diagnostic device on the port eventually?

I tried to use a statically assigned address for my fluke on every port but I get a message saying it's a duplicate. It seems like I'm not able to have the same MAC address allowed on more than 1 port, which makes sense. What can be done for test equipment though? I suppose I can remove the port security everytime I need to test a port but that seems rather tedious.

Amit Singh · ‎04-23-2007

What is the configuration that you have done on the switchports.Have you done static mac-address config or sticky mac-address config on the switchports.

You can increase the MAX-MAC count to 2 on the switchports.By default the MAX mac count on the switchports is 1. Unless the mac-adress is statically configured on the switchport or learned through " dynamic sticky " method, the mac-address wipes out from the switchport the moment you disconnect the PC from the port.

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat4000/12_2_31a/config/port_sec.htm#wp1074186

HTH,

-amit singh

ybajpai · ‎04-23-2007

From the point of view of the Catalyst Switch, the diagnostic equipment is just any other host attempting to send traffic on that port.

If your diagnostic tool is a layer1 device then it most probably wont have any mac-address and will not send out "ethernet" packets (as they are at Data-link layer2). So it will not interfere with port security.

However, if your device is a layer2 tool sending/receiving ethernet packets then the switch is bound to complain about port security violations.

How about clearing the port security binding on that port with a clear port-security command? You can issue this command, do your testing, issue it again and connect the original host. that should do the trick!