cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
595
Views
0
Helpful
10
Replies

Router port and Switchport security

alanchia2000
Level 1
Level 1

I have just realized that once you perform "no switchport" on a switch, you can no longer perform switchport security on a port.

I would like to have "no switchport" and yet be able to perform a "switchport security" so that I can limit the number of mac addresses connecting to that port.

Is there a way?

1 Accepted Solution

Accepted Solutions

No.

Those are the limitation you may face when doing L3 switchport. You lose switchport capabilities.

__

Edison.

View solution in original post

10 Replies 10

Edison Ortiz
Hall of Fame
Hall of Fame

You can't perform switchport related commands - such as security - on a Layer 3 port.

If you need switchport security as part of the design, you must enable switchport features on the port (Layer 2 switchport) and assign this port to a Vlan. You can apply the IP address intended for this switchport under the Switch Virtual Interface (SVI) and will behave the same as applying the IP under the switchport.

HTH,

__

Edison.

Hi Edison,

I understand the way to do physical port security. So I'm asking if there's any other way?

Is 802.1x capable of achieving that on a routed port ?

You could implement security ACLs ..

dot1x is only available on L2 switchports.

> You could implement security ACLs ..

What kind of security ACLs are you referring? Mac filtering access-list ?

> dot1x is only available on L2 switchports.

Thanks for answering.

Yes, mac filtering acls.

Hi Edison,

> Yes, mac filtering acls.

Thanks. Just wondering if there are any other means, cause I would most likely need to apply the ACLs to all 48 ports of my access switch ports. They have to be 48 different named ACLs.

No.

Those are the limitation you may face when doing L3 switchport. You lose switchport capabilities.

__

Edison.

Hi Edison,

I just realized that mac acccess-group is not supported on routed port. The option is not available as soon as I did a "no switchport".

Is mac access-group the security ACL you are referring to?

You are right, just realized that - my apologies.

I believe the only option is using the mac address-table static global command:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/command/reference/cli1.html#wp2789851

HTH,

__

Edison.

Thanks Edison, I'll go check out tomorrow when I get back to office.

Cheers,

Alan

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: