Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

MAC address Security on 2950

Unanswered Question
Nov 13th, 2003
User Badges:

We want to configure only trusted MAC addresses on 1 2950 switch. So I am thinking of a static entry such as "mac address-table static xxxx.xxxx.xxxx vlan 60 interface range fastethernet0/1-10" for the 1st 10 ports, has anyone done a similar thing??


Ernie Arellanes

Riverside, CA

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
earellanes Fri, 11/14/2003 - 08:23
User Badges:

Thank you, I will look at that approach.

Ernie Arellanes

earellanes Fri, 11/14/2003 - 15:13
User Badges:

As a follow up question, if I was to implement port security for a room of say 10 wall ports, and therefore 10 switchports, is it more efficient to just configure one instance on the Gigabit Interface, I suppose this would limit the whole switch then(all 48 ports)???



tbaranski Fri, 11/14/2003 - 16:49
User Badges:
  • Bronze, 100 points or more

Port Security restricts traffic flowing in to a given port based on source MAC address. So if the gigabit port is an uplink in your case, configuring port security on it won't do you any good because the traffic is going in to the FE ports and out of the gigabit port.

earellanes Mon, 11/17/2003 - 08:07
User Badges:

I see, thanks for that clarification, So it is possible right, as long as the GBic port is a non-uplink, so maybe higher up in Giga-stack?


tbaranski Mon, 11/17/2003 - 18:45
User Badges:
  • Bronze, 100 points or more

Port Security can be used on any given port to restrict traffic going into that port. So in your case the other end of the uplink (e.g., whatever the GBIC connects to) could have Port Security configured.

earellanes Tue, 11/18/2003 - 13:27
User Badges:

My plan then is to use the Port security method on all 48 ports on the 2950 switch using the interface range command (ie)

(config)# interface range fastethernet0/1-48

then these commands:

switchport mode access

switchport port-security

switchport port-security mac-address xxxx.xxxx.xxxx

(repeat the last line for all MACs)


Question is there a way to cut and paste all these MACs in the config file, probably 50 MAC addresses?


tbaranski Tue, 11/18/2003 - 18:28
User Badges:
  • Bronze, 100 points or more

That won't work -- a given MAC address can be configured as a secure address on only 1 port at a time. The reason is because when you configure a secure address on a port, the switch installs a static CAM table entry which maps the MAC address to that port. For a given MAC address to be mapped to multiple ports in a switch's CAM table is generally considered an error condition, as it goes against the entire concept of switching.

So if you're going to have hosts constantly changing ports such that a static configuration of one MAC address per port isn't practical, your options are: 1) configure port security on an upstream port, 2) use VMPS (which the 2950 can't do on it's own -- VMPS Server functionality is required which means either a high-end Cisco switch like a 4000, 5000 or 6500, or a third-party solution like OpenVMPS), or 3) use 802.1x.

earellanes Thu, 11/20/2003 - 12:06
User Badges:

Option 1: Upstream port= GigabitEthernet Interface on a Catalyst 3550, currently with this configuration.(in show run). Question: Will setting this to access mode (for secure port) nullify all/some/most of this configuration? FYI: This is the 2nd to last switch in the stack, with the last being the 2950 that all ports will be MAC secured.

interface GigabitEthernet0/2

switchport trunk encapsulation dot1q

switchport mode trunk

no ip address

mls qos trust cos

auto qos voip trust

wrr-queue bandwidth 20 1 80 0

wrr-queue queue-limit 80 1 20 1

wrr-queue cos-map 1 0 1 2 4

wrr-queue cos-map 3 3 6 7

wrr-queue cos-map 4 5

priority-queue out

spanning-tree vlan 20 port-priority 0

spanning-tree stack-port

tbaranski Thu, 11/20/2003 - 18:45
User Badges:
  • Bronze, 100 points or more

The 3550 documentation (for the newest software version) says that, unlike with the 2950s, a trunk port on a 3550 can indeed have port security enabled. So you should be ok there.


This Discussion