11-13-2003 01:03 PM - edited 03-02-2019 11:42 AM
We want to configure only trusted MAC addresses on 1 2950 switch. So I am thinking of a static entry such as "mac address-table static xxxx.xxxx.xxxx vlan 60 interface range fastethernet0/1-10" for the 1st 10 ports, has anyone done a similar thing??
Thanks
Ernie Arellanes
Riverside, CA
11-13-2003 06:06 PM
I'd suggest using port-security: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7f.html#1038501
11-14-2003 08:23 AM
Thank you, I will look at that approach.
Ernie Arellanes
11-14-2003 03:13 PM
As a follow up question, if I was to implement port security for a room of say 10 wall ports, and therefore 10 switchports, is it more efficient to just configure one instance on the Gigabit Interface, I suppose this would limit the whole switch then(all 48 ports)???
EA
California
11-14-2003 04:49 PM
Port Security restricts traffic flowing in to a given port based on source MAC address. So if the gigabit port is an uplink in your case, configuring port security on it won't do you any good because the traffic is going in to the FE ports and out of the gigabit port.
11-17-2003 08:07 AM
I see, thanks for that clarification, So it is possible right, as long as the GBic port is a non-uplink, so maybe higher up in Giga-stack?
EA
11-17-2003 06:45 PM
Port Security can be used on any given port to restrict traffic going into that port. So in your case the other end of the uplink (e.g., whatever the GBIC connects to) could have Port Security configured.
11-18-2003 01:27 PM
My plan then is to use the Port security method on all 48 ports on the 2950 switch using the interface range command (ie)
(config)# interface range fastethernet0/1-48
then these commands:
switchport mode access
switchport port-security
switchport port-security mac-address xxxx.xxxx.xxxx
(repeat the last line for all MACs)
end
Question is there a way to cut and paste all these MACs in the config file, probably 50 MAC addresses?
EA
11-18-2003 06:28 PM
That won't work -- a given MAC address can be configured as a secure address on only 1 port at a time. The reason is because when you configure a secure address on a port, the switch installs a static CAM table entry which maps the MAC address to that port. For a given MAC address to be mapped to multiple ports in a switch's CAM table is generally considered an error condition, as it goes against the entire concept of switching.
So if you're going to have hosts constantly changing ports such that a static configuration of one MAC address per port isn't practical, your options are: 1) configure port security on an upstream port, 2) use VMPS (which the 2950 can't do on it's own -- VMPS Server functionality is required which means either a high-end Cisco switch like a 4000, 5000 or 6500, or a third-party solution like OpenVMPS), or 3) use 802.1x.
11-20-2003 12:06 PM
Option 1: Upstream port= GigabitEthernet Interface on a Catalyst 3550, currently with this configuration.(in show run). Question: Will setting this to access mode (for secure port) nullify all/some/most of this configuration? FYI: This is the 2nd to last switch in the stack, with the last being the 2950 that all ports will be MAC secured.
interface GigabitEthernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
mls qos trust cos
auto qos voip trust
wrr-queue bandwidth 20 1 80 0
wrr-queue queue-limit 80 1 20 1
wrr-queue cos-map 1 0 1 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
priority-queue out
spanning-tree vlan 20 port-priority 0
spanning-tree stack-port
11-20-2003 06:45 PM
The 3550 documentation (for the newest software version) says that, unlike with the 2950s, a trunk port on a 3550 can indeed have port security enabled. So you should be ok there.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: