Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3031
Views
0
Helpful
4
Replies

Catalyst 2950 same mac on two ports

kcurry9806
Level 1
Level 1

‎10-29-2008 06:52 AM - edited ‎03-06-2019 02:11 AM

Is it possible to allow the same mac address to be configured to two different ports? Due to security requirements where I work a typical configuration for a port connecting to an end device (PC) we enable:

switchport mode access

switchport port-security

switchport port-security mac-address sticky

We have a new configuration where we need help. I have a laptop that be used in two different rooms. Both rooms are wired to the same switch (Cisco WS-C2950-24) but different ports.

We would like to configure port security such that the laptop can be connected in either room without port security tripping us up (e.g., the laptop mac address be applied to port #1 and #2).

Labels:
0 Helpful
4 Replies 4

Amit Singh
Cisco Employee
Cisco Employee

‎10-29-2008 07:21 AM

I havenot tried but I think we can configure the static port-security mac-address entry on both the ports and the same laptop can be used on the same port randomly. Try configuring it and let us know.

Use the following command :

switchport port-security mac-address aaaa.bbbb.cccc

You might need to increase the mac-address count to greater than 1 which is a default number. If you leave it to default then only the configured static mac will be allowed and they will be no dynamic learning allowed on the port. Use the command

switchport port-security max-count 2

Also, Please enable the static MAC aging timer on both the ports so that when a user moves from one room to another room, the previously configured mac gets aged out of the port and user get connectivity on the other port.

Use the command below :

switchport port-security aging static

HTH, Please rate if it does.

-amit singh

0 Helpful

kcurry9806
Level 1
Level 1
In response to Amit Singh

‎10-29-2008 07:43 AM

1. When I try to add the same mac address to the second port we get the message "Found duplicate mac address." Any attempt to connect the laptop to the second port after the mac is stuck to the first port will error-disable the second port. (We have the ports shutdown when a violation occurs.)

2. The only command I have is "switchport port-security maximum" and is set to 2. My limited understanding of this setting is it will allow up to 2 mac addresses on this port.

3. I enabled the aging timer.

So far no luck. Will use of an ACL and mac table do the trick for us?

Thanks,

Ken

0 Helpful

Amit Singh
Cisco Employee
Cisco Employee
In response to kcurry9806

‎10-29-2008 08:17 AM

Ken,

Well its not allowing us to put in the same mac on both the ports.

I think we can achieve this as far as we have " mac aging " timer enabled for the dynamic mac-addresses on both the ports.

Please donot enable the sticky mac-address learning on the port as aging for sticky mac-address is not supported.

The difference between sticky and dynamic mac-address is that sticky mac-address will be learnt permanently on the ports even if the switch reboots. While the dynamic entries gets removed if the switch reboots.

Once the user moves from one port to another if the aging timer is configured the port-security table will flush the mac-address and user will be able to connect to second port.

Use the following command :

switchport port-security aging time 60 type inactive

The full config command on these two ports would be

Switch(config-if)# switchport mode access

Switch(config-if)# switchport port-security

Switch(config-if)# switchport port-security maximum 2 <--- If you to allow more than 1 mac on the ports.

Switch(config-if)# switchport port-security aging time 60 type inactive <-- after 1 minute of inactivity the mac will be flushed out of the port-security table and can be learned on the other port.

NOTE : You can mix and match this with 1 port configured for static mac with aging timer and another port configured with dynamic learning and aging.

HTH,

0 Helpful

kcurry9806
Level 1
Level 1
In response to Amit Singh

‎10-29-2008 11:48 AM

I tested this process on two WS-C2950T-48-SI switches. One did not work, but on the second I was able to successfully connect the laptop to two different ports. In fact, with switchport port-security maximum 2 set, I was able to connect a second laptop to the same ports. The macs from both laptops are configured to both ports and I can connect to my network.

I have not checked all of the settings against one another, but this test proves it should be possible.

FYI:

WS-C2950-24 (no good) 12.1(14)EA1a

WS-C2950T-48-SI (good) 12.1(19)EA1c

WS-C2950T-48=-SI (no good) 12.1(22)EA4a

Ken

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card