Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

why do we need to put secure addresses in port security

hi all

on some configs I see 10 allowed mac address on a port, 2 of these are configured, why would you configure 2 and allow 9 other mac addresses to connect? is it that these do not age out ?

cheers

1 REPLY
Silver

Re: why do we need to put secure addresses in port security

Hi,

By default they don't age out, however you can enable aging based on an absolute value or inactivity.

The reason why one might configure 10 MAC addresses as a maximum is to protect the switch CAM table from being flooded with more than the maximum number of supported MAC addresses. If that situation would happen, the switch will not be able to learn more addresses and will start sending traffic to all port in the same VLAN as a best effort for every new destination MAC address which cannot be learnt. Usually this is used by attackers to capture traffic in the same VLAN not destined to them.

To read more about this, refer to Content Addressable Memory (CAM) Table Overflow section:

http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_example09186a00807c4101.shtml

Configuring 2 MAC addresses statically ensures that those addresses can be used to communicate even if we learn more addresses on that port (that is 2 + 8 as a maximum based on your example). We also allow 8 other MAC addresses to be learnt on that port at the same time.

For more details about Port Security, refer to the "Configuring Port Security on 3750 switches" guide on the following link:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_55_se/configuration/guide/swtrafc.html#wp1155297

Andras

185
Views
5
Helpful
1
Replies
CreatePlease login to create content