Is it possible to allow the same mac address to be configured to two different ports? Due to security requirements where I work a typical configuration for a port connecting to an end device (PC) we enable:
switchport mode access
switchport port-security mac-address sticky
We have a new configuration where we need help. I have a laptop that be used in two different rooms. Both rooms are wired to the same switch (Cisco WS-C2950-24) but different ports.
We would like to configure port security such that the laptop can be connected in either room without port security tripping us up (e.g., the laptop mac address be applied to port #1 and #2).
You might need to increase the mac-address count to greater than 1 which is a default number. If you leave it to default then only the configured static mac will be allowed and they will be no dynamic learning allowed on the port. Use the command
switchport port-security max-count 2
Also, Please enable the static MAC aging timer on both the ports so that when a user moves from one room to another room, the previously configured mac gets aged out of the port and user get connectivity on the other port.
1. When I try to add the same mac address to the second port we get the message "Found duplicate mac address." Any attempt to connect the laptop to the second port after the mac is stuck to the first port will error-disable the second port. (We have the ports shutdown when a violation occurs.)
2. The only command I have is "switchport port-security maximum" and is set to 2. My limited understanding of this setting is it will allow up to 2 mac addresses on this port.
3. I enabled the aging timer.
So far no luck. Will use of an ACL and mac table do the trick for us?
Well its not allowing us to put in the same mac on both the ports.
I think we can achieve this as far as we have " mac aging " timer enabled for the dynamic mac-addresses on both the ports.
Please donot enable the sticky mac-address learning on the port as aging for sticky mac-address is not supported.
The difference between sticky and dynamic mac-address is that sticky mac-address will be learnt permanently on the ports even if the switch reboots. While the dynamic entries gets removed if the switch reboots.
Once the user moves from one port to another if the aging timer is configured the port-security table will flush the mac-address and user will be able to connect to second port.
Use the following command :
switchport port-security aging time 60 type inactive
The full config command on these two ports would be
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2 <--- If you to allow more than 1 mac on the ports.
Switch(config-if)# switchport port-security aging time 60 type inactive <-- after 1 minute of inactivity the mac will be flushed out of the port-security table and can be learned on the other port.
NOTE : You can mix and match this with 1 port configured for static mac with aging timer and another port configured with dynamic learning and aging.
I tested this process on two WS-C2950T-48-SI switches. One did not work, but on the second I was able to successfully connect the laptop to two different ports. In fact, with switchport port-security maximum 2 set, I was able to connect a second laptop to the same ports. The macs from both laptops are configured to both ports and I can connect to my network.
I have not checked all of the settings against one another, but this test proves it should be possible.
Hi everyone, I would like to thank you in advance for any help you can provide a newcomer like myself!
Im studying the 100-105 book by Odom and am currently on the topic of Port security. I purchased a used 2960 and I'm trying to follow a...
While deploying a number of 18xx/2802/3802 model access points (APs), which run AP-COS as their operating platform. It can be observed on some occasions that while many of their access points were able to join the fabric WLC withou...
I am going to design and build an LAN network under a tunnel underground with long distance between the switches.
I will have 2 Catalyst switches and 8 Industrial IE3000, and they will be connected with fiber.
For now I am planning on use Layer-2 s...