Help needed on port security

Unanswered Question
Jul 25th, 2007
User Badges:

Hi,


I've a department which has been physically residing in a common area. We do have a 2960 switch in that common area connected to the users of my department. I want to implement port-security so that no other user can connect to this switch port lying in the common area and access my network. I want the switchports to be accessed only by the network devices of my company.


For this I've gathered the mac-addresses of all our machines. When I enabled port-security and configured one switch port with all the mac-addresses it was ok. But when I was planning to enter the same on the second port, it throws out an error, " Found duplicate mac-address 0014.38ce.0410".


I've configured one of the user port as,


interface FastEthernet0/11

switchport mode access

switchport port-security maximum 4

switchport port-security

switchport port-security mac-address 0014.38ce.0410

switchport port-security mac-address 0017.088a.ef0b

spanning-tree portfast


When I tried to copy the same configuration under any other port, it goes like this


Switch(config)#int fa0/13

Switch(config-if)# switchport port-security mac-address 0014.38ce.0410

Found duplicate mac-address 0014.38ce.0410.


Switch(config-if)# switchport port-security mac-address 0017.088a.ef0b

Found duplicate mac-address 0017.088a.ef0b.


Regards,

Subhash.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
Loading.
cisconoobie Wed, 07/25/2007 - 13:48
User Badges:

I'm not really sure about the port-security problem your having. If all else fails, look into IP Source guard and dhcp snooping. You can probably tweak it to do what your looking for.

palukuri77 Wed, 07/25/2007 - 13:54
User Badges:

Hi


I've around 20 mac-addresses of my LAN. I would like to all the 20 mac-addresses out of all the switchports on the 2960 switch. How can it be configured? I prefer a simplest configuration which I think should be running as follows:


int fa0/2

switchport port-security

switchport port-sercurity mac-address 0000.0001.0002

switchport port-sercurity mac-address 0000.0001.0003

switchport port-sercurity mac-address 0000.0001.0004

switchport port-sercurity mac-address 0000.0001.0005

switchport port-sercurity mac-address 0000.0001.0006


int fa0/3

switchport port-security

switchport port-sercurity mac-address 0000.0001.0002

switchport port-sercurity mac-address 0000.0001.0003

switchport port-sercurity mac-address 0000.0001.0004

switchport port-sercurity mac-address 0000.0001.0005

switchport port-sercurity mac-address 0000.0001.0006


int fa0/4

switchport port-security

switchport port-sercurity mac-address 0000.0001.0002

switchport port-sercurity mac-address 0000.0001.0003

switchport port-sercurity mac-address 0000.0001.0004

switchport port-sercurity mac-address 0000.0001.0005

switchport port-sercurity mac-address 0000.0001.0006


and so on... Is it possible to do like this?


Regards,

Subhash.




Edison Ortiz Wed, 07/25/2007 - 14:58
User Badges:
  • Super Bronze, 10000 points or more
  • Hall of Fame,

    Founding Member

If you have all mac-addresses documented then the process is simple.


Copy and paste the mac-addresses as part of the switchport port-security command and you can configure all ports at once on a switch by using the interface range command.


For instance, if you want to configure port 1-24


interface range f0/1-24

switchport port-security

switchport port-security mac-address 0000.0001.0002



palukuri77 Wed, 07/25/2007 - 21:37
User Badges:

Hi Thanks for your response. In fact I've done the same way. But unfortunately the commands kicked back after taking the mac-address commands under one interface. I mean its throwing out the following error when the system is trying to copy the command set under the second interface,


Switch(config)#int fa0/13

Switch(config-if)# switchport port-security mac-address 0014.38ce.0410

Found duplicate mac-address 0014.38ce.0410.


Switch(config-if)# switchport port-security mac-address 0017.088a.ef0b

Found duplicate mac-address 0017.088a.ef0b.



Am I missing out anything else? As far as I know and even you conveyed, I was doing the simplest procedure, just arranged all the mac-addresses list which I want to secure and tried to copy under all the interfaces with a range command.


Regards,

Subhash.

rajatsetia Wed, 07/25/2007 - 23:07
User Badges:
  • Bronze, 100 points or more

Hi Subash,


As Edison said, apply port security on range of interface rather applying it interface wise.


interface range f0/1-24

switchport port-security

switchport port-security mac-address....1

switchport port-security mac-address....2

switchport port-security mac-address....3


rgds

palukuri77 Wed, 07/25/2007 - 23:16
User Badges:

Hello,


I'm quite aware of the range commands. In fact I've my range of ports are from 12-48


And when I started issuing the command, it started throwing out the message duplicate entry found...


I hope you guys understand my problem now.


Thanks,

Subhash.

rajatsetia Thu, 07/26/2007 - 01:22
User Badges:
  • Bronze, 100 points or more

Hi Subash


I have explored about this and have following inputs :-


--> IOS would not allow you to add the MAC address to more that one port. The documentation supports this by saying a security violation has occurred if a protected MAC address is seen on a different port


Adding a static secure MAC address

entry to a port creates a static CAM table entry mapping the MAC address to the port. With this in mind, adding the same secure MAC address to two ports would result

in multiple entries in the CAM table for that address...not gud hmmm


CISCO 2950 CAVEATS QUOTES :-


If you configure a static secure MAC address on an interface before enabling port security on the interface, the same MAC address is allowed on multiple interfaces. If the same MAC address is added on multiple ports before enabling port security and port security is later enabled on those ports, only the first MAC address can be added to the hardware database. If port security is first enabled on the interface, the same static MAC address is not allowed on multiple interfaces. (CSCdz74685)


AND NOW THE SOLUTION PART


You can try MAC ACL option


mac access-list extended allow-MAC

permit host xxxx.xxxx.xxxx any


int fa0/1

mac access-group allow-MAC in

int fa0/2

mac access-group allow-MAC in


This will only allow the above MAC to access the ports where the ACL is applied.


check out below mentioned link and search for mac access-list


http://www.cisco.com/en/US/products/ps6406/products_command_reference_chapter09186a00805f46f1.html#wp2782860


HTH , rate if does help... :)


Regards

Rajat Setia

Actions

This Discussion