03-19-2009 04:58 AM - edited 03-06-2019 04:41 AM
I've an environment without VoIP.
This is the reason why max MAC is 1 everywhere. Aging is not required because a user disconnection means a flush of the MAC.
I want some ports to have a static secure MAC address. If another user connects to this port, the port has to stay up but the packets should be dropped.> restricted mode
user ports following configuration
switchport mode access
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
end
special ports:
switchport nonegotiate
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address aaaa.bbbb.cccc
When I connect my pc the test MAC appears in the mac static table
Vlan Mac Address Type Ports
---- ----------- -------- -----
All 0015.62a2.fcc0 STATIC CPU
All 0100.0ccc.cccc STATIC CPU
All 0100.0ccc.cccd STATIC CPU
All 0100.0cdd.dddd STATIC CPU
50 aaaa.bbbb.cccc STATIC Fa0/3
When I disconnect, the last entry disappears
Very strange...
show port-security interface fas0/3
Port Security : Enabled
Port Status : Secure-down
Violation Mode : Restrict
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 1
Configured MAC Addresses : 1
Sticky MAC Addresses : 0
Last Source Address : 0021.709f.59b4
Security Violation Count : 350
>> security violation count increments.
But when connected I'm still able to ping the SVI ????? My laptop violates but is still able to ping> packets are not dropped??
show logging
b4 on port FastEthernet0/3.
000047: *Mar 1 01:07:29.999 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.
000048: *Mar 1 01:07:35.003 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.
000049: *Mar 1 01:07:40.007 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.
000050: *Mar 1 01:07:45.015 CET: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0021.709f.59b4 on port FastEthernet0/3.
How can I avoid that when another device than the configured MAC is able to ping?
03-19-2009 06:36 AM
Hi Jan ,
I think your Special port don't have MAX Mac configured and no , that is one of the reason .
HTH
DAK
03-19-2009 06:41 AM
Hi,
Yes I did
it doesn't show up because it's default
see also the output
Maximum MAC Addresses : 1
03-19-2009 06:45 AM
Could you please try to configured the Aging ,may be it could has effect on it?
I know you intentionally don't want to enable it.
03-19-2009 08:34 AM
03-19-2009 09:06 AM
problem solved:
configuration was ok ;)
I added another switch and configured there a SVI and then the result was satifying:
ping -t from my laptop
Request time-out
If I remove the static secure MAC
reply
If I wanted to add the secure MAC again :
Error, max MAC already reached
If I disconnected my laptop I was back able to add the secure MAC.
I had to ping a hop further
03-19-2009 09:33 AM
Hello ,
Please i would like to know what went wrong then.
Thanks
03-19-2009 09:49 AM
My setup
Laptop---------switch 10.0.0.2
10.0.0.1
ping -t 10.0.0.2
reply
Laptop----switch10.0.0.2-------switch10.0.03
ping -t 10.0.0.3
time-out
time-out
time-out
time-out
time-out
...
time-out
When I removed the secure mac from my port I received replies from 10.0.0.3
I did a continious ping
Probably packets sourced from another MAC are dropped when leaving the switch?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: