Only allow ligetmit mac-address

Unanswered Question
Dec 12th, 2007


I have my core switch at Hq and remote switch in datacenter , connecting through Gig interface(layer-2),

For security reason I only want my core switch to accept traffic from my remote switch, in case if any body disconnect my remote site switch and plug something else,it will drop/disable the port at Hq switch,

Please advice how can I achive this?

Does anyway I can only permit my remote switch mac-address at Hq switch?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Hieu Cao Thu, 12/13/2007 - 09:31

what is your switch model at the datacenter?

You can implement port-security in your switch at the datacenter and limit mac-address to 2 or 3 (however many you want). Short of that is to use ACL.


mohammedrafiq Thu, 12/13/2007 - 12:32


Thanks for the reply, but if you can clarify below

, I want at HQ (3560)site that only data comes from data centre(3750) sw,

Does it not better idea to enable port security at HQ sw to only allow one mac-address, which is the mac of datacentre sw?


mheusing Thu, 12/13/2007 - 12:39


Just a warning, as your link is a layer 2 link, all the MAC addresses of the devices sending frames through the link will arrive at the HQ switch. You can have a look at the MAC addresses with "show show mac address-table interface XYZ". One MAC address will for sure not be enough, instead there likely will be many of them.

Regards, Martin

mohammedrafiq Thu, 12/13/2007 - 12:52

Actually switch in datacentre is only a connection point between HQ and remote site sw(3750) ,whrere all the services are.Only concern we have that at datacentre(not managed by us) site some one can plug a device and have access to our LAN at either side HQ or Remote.


Hieu Cao Thu, 12/13/2007 - 12:59

I don't think that port-security was designed or meant to work that way - limitting mac-add from switch to switch.

In my understanding, port-security was designed for you to lockdown your switchports against unauthorized connections to your switch, along with few other features. For example, if your switchport 3750 fa0/1 mac-address is set to 2 with Sticky option enabled, the third device connected to this switchport would not establish a network connection at all.

Take a look at this link to understand more about port-security.


Hieu Cao Thu, 12/13/2007 - 13:37

Since the switch in the data center is connected to your HQ switch, but it's not managed by you, then your simplest solution is to ask the administrator managing that switch to configure port-security with the settings that you'd like to implement to keep your network as secured as possible.


mohammedrafiq Thu, 12/13/2007 - 13:47

ok,but what will happen if some take the connection physically of from datacentre sw, plug a diffrent hub/sw/pc , then will have access to our network.

Thats why we like to implement security on our side sw at hq,

we can make this a layer 3 connection.


Hieu Cao Thu, 12/13/2007 - 14:18

If you have port-security configured properly in the switch in the datacenter, then another ip device connected to the same switchport would not have access to your network because the port is either restricted or shutdown.


switchport port-security maximum 2

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

switchport port-security mac-address sticky

switchport port-security mac-address sticky vlan voice

switchport port-security mac-address sticky xxxx.xxxx.xxxx

spanning-tree bpduguard enable

The third device connected to the same switchport would fail network connection.

When you enable the Sticky option, it'll learn the mac-add dynamically and add them to the switchport. You just need to save the config at this point so that if you reboot the switch, it doesn't have to relearn the mac-add. Of course, the downside of this is that if your device mac-add is changed at the other end, then you need to update your switch with the new mac-add for that port manually. Also, don't forget to shutdown all unused switchports too.

In your HQ switch, maybe you can implement ACL to accept traffic from the datacenter, but if someone has physical access to your switch and replaces it with something else entirely without your knowledge or consent and with the intent to cause harm, then it becomes a much bigger issue. Someone at the datacenter managing that switch must be responsible for the physical security to that switch.

I don't know of an "easy" way to address your concern, so I hope others in this forum can help you out as I am interested in a viable solution as well.



This Discussion