Allowing a single non-specific mac-address on each switchport

mzdin · ‎11-12-2001

I need to prevent users from connecting hub/switches to the switchport indiscriminately. I cannot use port security as i need to allow different users to access the switch. Is there a way perhaps to allow the switch to only allow ONLY 1 mac address for each port without learning the mac-address and preventing another user from using the port with a different machine.

candv · ‎11-13-2001

Depends what type of switch but we do the following

on 3500 switches only allow one mac address per port

int f0/1

port security max-mac-count 1

on catalyst 4000/6000 switches we set port security for 1 mac address but instead of locking down the port we use "restrict". When the user plugs the original device back into the switch is re-enables it.

mzdin · ‎11-13-2001

Thanks very much for your suggestion.The switches I'm using are the 3500XL, 2900XL and the 5500. I cannot use port security because the users are mobile. They are allow to connect to any switchport. So i cannot tie down the port to any single specific mac address. However, I do not want them to connect a switch/hub to the port as that could create problems.

I looking for a feature or a config that at any one time only allows the port to hold on to a single mac address dynamically and then release it when the user disconnects from the outlet. Using port security would not allow this. Any suggestions would be appreciated.

candv · ‎11-13-2001

for the 3500xl and 2900xl the command previous will work, it may say port security but it will not shut down the port until the following command is entered

port security action shutdown

or

port security action trap

that is the line that shuts down the actual port or sends a trap to a management server. As for the 5500

command..there is a "set port security 3/1 maximum "

that sets the max number without actually shutting down the port, you may have to upgrade to a high 5500 version of software though

mzdin · ‎11-14-2001

Thanks Andy, thats what i thought as the default action is to simply generate a snmp message. However, when I tried to connect another machine to the port, even though it did not shut down the port, it also did not learned the new mac-address of the new machine and thus there was no connectivity. In the event that i do not specify the option of max mac address learned, it would simply learned up to the default maximum number of mac address, abt 132 i think and then connectivity would be lost for the next new machines that needs to be connected. I tried tweaking with the mac address table aging time, but it seems that learned mac address through secure ports do not get erase. Thanks again

j.chenevey · ‎11-16-2001

This may work: implement bpdu guard. bpdu guard will disable a portfast enabled switch port if it a BPDU is received on that port. Port is put into errdisable when this is detected. So if a switch or hub is plugged in, a BPDU would be flooded to that port and bpdu guard will disable port automatically. this feature is available in CatOS 5.4.1 and later for Cat4K, 5K, 6K. Check out http://www.cisco.com/warp/public/473/65.html

KENT EITZMANN · ‎11-17-2001

I have also been struggling with this same issue. Starting with CatOS 5.x you can control the age of a port's secure MAC address (set port sec 3/1 age 10). After 10 minutes of not seeing that MAC the port will go back into learning mode, allowing a different user on that port. The bad part is that 10 min. is the shortest you can set it.

Suggestion to Cisco: Why not add an option to port security which erases a ports security table when it's link goes away?

Until that day comes, here is a workaround I have been playing with. I enable link up/down traps on the switch (set port trap), then using snmptrapd (ucd-snmp) I issue a snmpset to clear the secure MAC from the port (PortSecuritySecureSrcAddr.x.x = "00 00 00 00 00 00") when a link down trap is received.