Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cat4000 Hard-Coded CAM Entry

I want to lock a specific MAC address to a specific port on a Cat4000 (Sup 1, CatOS 8.4(8)GLX). The MAC address should always exist in the CAM table for that port (i.e. never age out), and nothing connected to any other ports should ever be able to spoof or otherwise use that MAC address.

Will "set cam permanent" work for this? I haven't found any documentation saying it prevents other ports from sharing / joining with the same MAC address.

One last detail - this is a static 802.1q trunk port with a few VLANs traversing the trunk. Would I have to configure this once for each VLAN, even though it's the same MAC address?

Thanks!

-Mason

1 ACCEPTED SOLUTION

Accepted Solutions

Re: Cat4000 Hard-Coded CAM Entry

Hi .. Yes you can do that however in regards to the MAC spoofing .. I don't think it can be avoided however the switch should produce an alert when such an event happens.

" Usage Guidelines

The vlan variable is required when you configure the traffic filter entry.

If the given MAC address is a multicast address (the least significant bit of the most significant byte is set to1) or broadcast address (ff-ff-ff-ff-ff-ff) and you specify multiple ports, the ports must all be in the same VLAN. If the given address is a unicast address and you specify multiple ports, the ports must be in different VLANs.

The MSM does not support the set cam command.

If you enter a route descriptor and do not specify a VLAN parameter, the default is the VLAN already associated with the port. If you enter a route descriptor, you can use only a single port number (for the associated port).

The MAC address and VLAN for a host can be stored in the NVRAM. It is maintained even after a reset.

The vlan number is optional unless you are setting CAM entries to dynamic, static, or permanent for a trunk port, or if you are using the agingtime keyword.

If port(s) are trunk ports, you must specify the VLAN.

Static (nonpermanent) entries remain in the table until you reset the active supervisor engine.

Enter the route_descr variable as two hexadecimal bytes in the following format: 004F. Do not use a hyphen (-) to separate the bytes.

What happens when a host?s MAC address is learned on one switch port, and then the host moves

so that it appears on a different switch port? Ordinarily, the host?s original CAM table entry would

have to age out after 300 seconds, while its address was learned on the new port. To avoid having

duplicate CAM table entries, a switch purges any existing entries for a MAC address that has just

been learned on a different switch port. This is a safe assumption because MAC addresses are

unique, and a single host should never be seen on more than one switch port unless problems exist

in the network. If a switch notices that a MAC address is being learned on alternating switch ports,

it generates an error message that flags the MAC address as ?flapping? between interfaces. "

" ..One last detail - this is a static 802.1q trunk port with a few VLANs traversing the trunk. Would I have to configure this once for each VLAN, even though it's the same MAC address? .. " does the MAC belong to a switch or an end host ..? If it is an end host then you need to specify the VLAN where the end host is placed only.

I hope it helps .. please rate it if it does !!!

2 REPLIES

Re: Cat4000 Hard-Coded CAM Entry

Hi .. Yes you can do that however in regards to the MAC spoofing .. I don't think it can be avoided however the switch should produce an alert when such an event happens.

" Usage Guidelines

The vlan variable is required when you configure the traffic filter entry.

If the given MAC address is a multicast address (the least significant bit of the most significant byte is set to1) or broadcast address (ff-ff-ff-ff-ff-ff) and you specify multiple ports, the ports must all be in the same VLAN. If the given address is a unicast address and you specify multiple ports, the ports must be in different VLANs.

The MSM does not support the set cam command.

If you enter a route descriptor and do not specify a VLAN parameter, the default is the VLAN already associated with the port. If you enter a route descriptor, you can use only a single port number (for the associated port).

The MAC address and VLAN for a host can be stored in the NVRAM. It is maintained even after a reset.

The vlan number is optional unless you are setting CAM entries to dynamic, static, or permanent for a trunk port, or if you are using the agingtime keyword.

If port(s) are trunk ports, you must specify the VLAN.

Static (nonpermanent) entries remain in the table until you reset the active supervisor engine.

Enter the route_descr variable as two hexadecimal bytes in the following format: 004F. Do not use a hyphen (-) to separate the bytes.

What happens when a host?s MAC address is learned on one switch port, and then the host moves

so that it appears on a different switch port? Ordinarily, the host?s original CAM table entry would

have to age out after 300 seconds, while its address was learned on the new port. To avoid having

duplicate CAM table entries, a switch purges any existing entries for a MAC address that has just

been learned on a different switch port. This is a safe assumption because MAC addresses are

unique, and a single host should never be seen on more than one switch port unless problems exist

in the network. If a switch notices that a MAC address is being learned on alternating switch ports,

it generates an error message that flags the MAC address as ?flapping? between interfaces. "

" ..One last detail - this is a static 802.1q trunk port with a few VLANs traversing the trunk. Would I have to configure this once for each VLAN, even though it's the same MAC address? .. " does the MAC belong to a switch or an end host ..? If it is an end host then you need to specify the VLAN where the end host is placed only.

I hope it helps .. please rate it if it does !!!

New Member

Re: Cat4000 Hard-Coded CAM Entry

Thanks for the details.... Reading the part about multicast and broadcast MAC addresses being allowed on multiple ports makes me think that perhaps the unicast MAC address I assign to a specific port may prevent other ports from spoofing. At least the static route vs. dynamic route logic would prefer the static route, so maybe the static CAM entry will be preferred over a dynamic CAM entry.

The host connected to the port is a router. Since my Supervisor II isn't L3 capable, I'm using a router-on-a-stick setup to route between several VLANs. So the MAC address must exist on each VLAN of the trunk port, and it will always be the same MAC address. I'll try entering "set cam permanent" for each of the VLANs on the trunk port and see how that works.

Thanks for the quick, and helpful, reply!

-Mason

206
Views
0
Helpful
2
Replies