Catalyst 2950 same mac on two ports

Unanswered Question
Oct 29th, 2008
User Badges:

Is it possible to allow the same mac address to be configured to two different ports? Due to security requirements where I work a typical configuration for a port connecting to an end device (PC) we enable:


switchport mode access

switchport port-security

switchport port-security mac-address sticky


We have a new configuration where we need help. I have a laptop that be used in two different rooms. Both rooms are wired to the same switch (Cisco WS-C2950-24) but different ports.


We would like to configure port security such that the laptop can be connected in either room without port security tripping us up (e.g., the laptop mac address be applied to port #1 and #2).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Amit Singh Wed, 10/29/2008 - 07:21
User Badges:
  • Cisco Employee,

I havenot tried but I think we can configure the static port-security mac-address entry on both the ports and the same laptop can be used on the same port randomly. Try configuring it and let us know.


Use the following command :


switchport port-security mac-address aaaa.bbbb.cccc


You might need to increase the mac-address count to greater than 1 which is a default number. If you leave it to default then only the configured static mac will be allowed and they will be no dynamic learning allowed on the port. Use the command


switchport port-security max-count 2


Also, Please enable the static MAC aging timer on both the ports so that when a user moves from one room to another room, the previously configured mac gets aged out of the port and user get connectivity on the other port.


Use the command below :


switchport port-security aging static


HTH, Please rate if it does.


-amit singh


kcurry9806 Wed, 10/29/2008 - 07:43
User Badges:

1. When I try to add the same mac address to the second port we get the message "Found duplicate mac address." Any attempt to connect the laptop to the second port after the mac is stuck to the first port will error-disable the second port. (We have the ports shutdown when a violation occurs.)


2. The only command I have is "switchport port-security maximum" and is set to 2. My limited understanding of this setting is it will allow up to 2 mac addresses on this port.


3. I enabled the aging timer.


So far no luck. Will use of an ACL and mac table do the trick for us?


Thanks,

Ken

Amit Singh Wed, 10/29/2008 - 08:17
User Badges:
  • Cisco Employee,

Ken,


Well its not allowing us to put in the same mac on both the ports.


I think we can achieve this as far as we have " mac aging " timer enabled for the dynamic mac-addresses on both the ports.


Please donot enable the sticky mac-address learning on the port as aging for sticky mac-address is not supported.



The difference between sticky and dynamic mac-address is that sticky mac-address will be learnt permanently on the ports even if the switch reboots. While the dynamic entries gets removed if the switch reboots.


Once the user moves from one port to another if the aging timer is configured the port-security table will flush the mac-address and user will be able to connect to second port.


Use the following command :


switchport port-security aging time 60 type inactive


The full config command on these two ports would be


Switch(config-if)# switchport mode access


Switch(config-if)# switchport port-security


Switch(config-if)# switchport port-security maximum 2 <--- If you to allow more than 1 mac on the ports.


Switch(config-if)# switchport port-security aging time 60 type inactive <-- after 1 minute of inactivity the mac will be flushed out of the port-security table and can be learned on the other port.



NOTE : You can mix and match this with 1 port configured for static mac with aging timer and another port configured with dynamic learning and aging.


HTH,





kcurry9806 Wed, 10/29/2008 - 11:48
User Badges:

I tested this process on two WS-C2950T-48-SI switches. One did not work, but on the second I was able to successfully connect the laptop to two different ports. In fact, with switchport port-security maximum 2 set, I was able to connect a second laptop to the same ports. The macs from both laptops are configured to both ports and I can connect to my network.


I have not checked all of the settings against one another, but this test proves it should be possible.


FYI:

WS-C2950-24 (no good) 12.1(14)EA1a

WS-C2950T-48-SI (good) 12.1(19)EA1c

WS-C2950T-48=-SI (no good) 12.1(22)EA4a


Ken

Actions

This Discussion