cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
914
Views
4
Helpful
7
Replies

Help needed on port security

palukuri77
Level 1
Level 1

Hi,

I've a department which has been physically residing in a common area. We do have a 2960 switch in that common area connected to the users of my department. I want to implement port-security so that no other user can connect to this switch port lying in the common area and access my network. I want the switchports to be accessed only by the network devices of my company.

For this I've gathered the mac-addresses of all our machines. When I enabled port-security and configured one switch port with all the mac-addresses it was ok. But when I was planning to enter the same on the second port, it throws out an error, " Found duplicate mac-address 0014.38ce.0410".

I've configured one of the user port as,

interface FastEthernet0/11

switchport mode access

switchport port-security maximum 4

switchport port-security

switchport port-security mac-address 0014.38ce.0410

switchport port-security mac-address 0017.088a.ef0b

spanning-tree portfast

When I tried to copy the same configuration under any other port, it goes like this

Switch(config)#int fa0/13

Switch(config-if)# switchport port-security mac-address 0014.38ce.0410

Found duplicate mac-address 0014.38ce.0410.

Switch(config-if)# switchport port-security mac-address 0017.088a.ef0b

Found duplicate mac-address 0017.088a.ef0b.

Regards,

Subhash.

7 Replies 7

cisconoobie
Level 2
Level 2

I'm not really sure about the port-security problem your having. If all else fails, look into IP Source guard and dhcp snooping. You can probably tweak it to do what your looking for.

Hi

I've around 20 mac-addresses of my LAN. I would like to all the 20 mac-addresses out of all the switchports on the 2960 switch. How can it be configured? I prefer a simplest configuration which I think should be running as follows:

int fa0/2

switchport port-security

switchport port-sercurity mac-address 0000.0001.0002

switchport port-sercurity mac-address 0000.0001.0003

switchport port-sercurity mac-address 0000.0001.0004

switchport port-sercurity mac-address 0000.0001.0005

switchport port-sercurity mac-address 0000.0001.0006

int fa0/3

switchport port-security

switchport port-sercurity mac-address 0000.0001.0002

switchport port-sercurity mac-address 0000.0001.0003

switchport port-sercurity mac-address 0000.0001.0004

switchport port-sercurity mac-address 0000.0001.0005

switchport port-sercurity mac-address 0000.0001.0006

int fa0/4

switchport port-security

switchport port-sercurity mac-address 0000.0001.0002

switchport port-sercurity mac-address 0000.0001.0003

switchport port-sercurity mac-address 0000.0001.0004

switchport port-sercurity mac-address 0000.0001.0005

switchport port-sercurity mac-address 0000.0001.0006

and so on... Is it possible to do like this?

Regards,

Subhash.

If you have all mac-addresses documented then the process is simple.

Copy and paste the mac-addresses as part of the switchport port-security command and you can configure all ports at once on a switch by using the interface range command.

For instance, if you want to configure port 1-24

interface range f0/1-24

switchport port-security

switchport port-security mac-address 0000.0001.0002

Hi Thanks for your response. In fact I've done the same way. But unfortunately the commands kicked back after taking the mac-address commands under one interface. I mean its throwing out the following error when the system is trying to copy the command set under the second interface,

Switch(config)#int fa0/13

Switch(config-if)# switchport port-security mac-address 0014.38ce.0410

Found duplicate mac-address 0014.38ce.0410.

Switch(config-if)# switchport port-security mac-address 0017.088a.ef0b

Found duplicate mac-address 0017.088a.ef0b.

Am I missing out anything else? As far as I know and even you conveyed, I was doing the simplest procedure, just arranged all the mac-addresses list which I want to secure and tried to copy under all the interfaces with a range command.

Regards,

Subhash.

Hi Subash,

As Edison said, apply port security on range of interface rather applying it interface wise.

interface range f0/1-24

switchport port-security

switchport port-security mac-address....1

switchport port-security mac-address....2

switchport port-security mac-address....3

rgds

Hello,

I'm quite aware of the range commands. In fact I've my range of ports are from 12-48

And when I started issuing the command, it started throwing out the message duplicate entry found...

I hope you guys understand my problem now.

Thanks,

Subhash.

Hi Subash

I have explored about this and have following inputs :-

--> IOS would not allow you to add the MAC address to more that one port. The documentation supports this by saying a security violation has occurred if a protected MAC address is seen on a different port

Adding a static secure MAC address

entry to a port creates a static CAM table entry mapping the MAC address to the port. With this in mind, adding the same secure MAC address to two ports would result

in multiple entries in the CAM table for that address...not gud hmmm

CISCO 2950 CAVEATS QUOTES :-

If you configure a static secure MAC address on an interface before enabling port security on the interface, the same MAC address is allowed on multiple interfaces. If the same MAC address is added on multiple ports before enabling port security and port security is later enabled on those ports, only the first MAC address can be added to the hardware database. If port security is first enabled on the interface, the same static MAC address is not allowed on multiple interfaces. (CSCdz74685)

AND NOW THE SOLUTION PART

You can try MAC ACL option

mac access-list extended allow-MAC

permit host xxxx.xxxx.xxxx any

int fa0/1

mac access-group allow-MAC in

int fa0/2

mac access-group allow-MAC in

This will only allow the above MAC to access the ports where the ACL is applied.

check out below mentioned link and search for mac access-list

http://www.cisco.com/en/US/products/ps6406/products_command_reference_chapter09186a00805f46f1.html#wp2782860

HTH , rate if does help... :)

Regards

Rajat Setia

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco