Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

MAC address port security -- side effect?


I have been working on a Cisco Catalyst 2960 in an academic library setting. I have connected an unmanaged switch to 0/4 for public terminal connections, of which there are currently ten. In order to prevent library patrons from unplugging the network cable to the public terminals and connecting their own laptops, I have implemented MAC address security on the port to which the unmanaged switch is connected.

There are a few other data outlets in the library, which the librarians wish to use by connecting their laptops for presentations and tutorial sessions. Due to limited space on the 2960 Catalyst, I connected those various data ports to the unmanaged switch, and added the librarians' laptops' MAC addresses to the list of permitted addresses -- the goal was to enable the ports only for library staff, and not for public use.

All was well until later, when we discovered that one of the librarians, whose laptop is her primary system, could not connect from any other port on the Catalyst 2960 -- _only_ on port 0/4, where her MAC address was in the list.

In all the documentation I've read I have found nothing that would suggest this as a byproduct of using port security based on MAC address learning. At least in my understanding, having her MAC address in the list should have -allowed- her computer on that port and not affected any of the other ports at all.

Is my understanding incorrect? If not, has anyone else encountered this anomaly? If so, how did you resolve it? -Did- you resolve it?

New Member

Re: MAC address port security -- side effect?

We had to implement port security due to HIPPA regulations. If you have a MAC-Address configured for a port, that MAC-Address will only work on that port only. We have found that moving a PC requires us to remove the old port security definition and then put in the new port security definition. And this was across a network of 120 switches.

We have roamers in our enviornment and in order to get them to connect, we created a Secure Laptop VLAN, and placed in on the port and then made the placed the Laptop's in DHCP as reservations. So, they any 152 laptop can plug into any 152 plug and get on the network. Anyone else would not get an IP. It works well in our enviornment.