Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't use 'interface range' to restrict by mac address

Hello.

I need to only allow 5 Mac Addresses on a range of ports on a 2955 switch.  If I do the following it only changes the first port in the range:

interface range fastEthernet 0/5 - 10

no spanning-tree portfast
switchport port-security
switchport port-security maximum 5
switchport port-security violation restrict
switchport port-security mac-address 00:1D:24:25:F7:AA

switchport port-security mac-address 00:2D:24:9A:56:BB

switchport port-security mac-address 00:1D:24:25:F7:CC
switchport port-security mac-address 00:1D:24:40:E0:DD

switchport port-security mac-address 00:1D:24:20:DC:EE

no shut

However show run will show this on all the ports:

interface FastEthernet0/5

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security mac-address 00:1D:24:25:F7:AA

switchport port-security mac-address 00:2D:24:9A:56:BB

switchport port-security mac-address 00:1D:24:25:F7:CC
switchport port-security mac-address 00:1D:24:40:E0:DD

switchport port-security mac-address 00:1D:24:20:DC:EE

!

interface FastEthernet0/6

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

!

interface FastEthernet0/7

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

!

interface FastEthernet0/8

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

!

interface FastEthernet0/9

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

!

interface FastEthernet0/10

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

If I try and add the mac address after this happens:

(config-if)# switchport port-security mac-address 00:1D:24:25:F7:AA

Found duplicate mac-address 00:1D:24:25:F7:AA

Can i not use the same mac address across ports?

Thanks

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Can't use 'interface range' to restrict by mac address

Hello Andy,

the command creates a static entry in CAM table so you cannot have the same MAC address associated to multiple ports at the same time, this is not allowed by port security framework.

On some switching platforms you can have other means to discriminate legitimate users like dynamic ARP inspection and DHCP snooping.

Hope to help

Giuseppe

2 REPLIES
Hall of Fame Super Silver

Can't use 'interface range' to restrict by mac address

Hello Andy,

the command creates a static entry in CAM table so you cannot have the same MAC address associated to multiple ports at the same time, this is not allowed by port security framework.

On some switching platforms you can have other means to discriminate legitimate users like dynamic ARP inspection and DHCP snooping.

Hope to help

Giuseppe

New Member

Can't use 'interface range' to restrict by mac address

Hi,

When you put it like that it makes sense, as it would created switching loops I guess otherwise as it has to statically add the mac addresses to the CAM table, STP is doing it's job.

Thanks for the quick reply, we were just try to secure ports to only certain mac addresses.

Regards

552
Views
0
Helpful
2
Replies
CreatePlease to create content