We want to configure only trusted MAC addresses on 1 2950 switch. So I am thinking of a static entry such as "mac address-table static xxxx.xxxx.xxxx vlan 60 interface range fastethernet0/1-10" for the 1st 10 ports, has anyone done a similar thing??
I'd suggest using port-security: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a00801cde7f.html#1038501
As a follow up question, if I was to implement port security for a room of say 10 wall ports, and therefore 10 switchports, is it more efficient to just configure one instance on the Gigabit Interface, I suppose this would limit the whole switch then(all 48 ports)???
Port Security restricts traffic flowing in to a given port based on source MAC address. So if the gigabit port is an uplink in your case, configuring port security on it won't do you any good because the traffic is going in to the FE ports and out of the gigabit port.
I see, thanks for that clarification, So it is possible right, as long as the GBic port is a non-uplink, so maybe higher up in Giga-stack?
Port Security can be used on any given port to restrict traffic going into that port. So in your case the other end of the uplink (e.g., whatever the GBIC connects to) could have Port Security configured.
My plan then is to use the Port security method on all 48 ports on the 2950 switch using the interface range command (ie)
(config)# interface range fastethernet0/1-48
then these commands:
switchport mode access
switchport port-security mac-address xxxx.xxxx.xxxx
(repeat the last line for all MACs)
Question is there a way to cut and paste all these MACs in the config file, probably 50 MAC addresses?
That won't work -- a given MAC address can be configured as a secure address on only 1 port at a time. The reason is because when you configure a secure address on a port, the switch installs a static CAM table entry which maps the MAC address to that port. For a given MAC address to be mapped to multiple ports in a switch's CAM table is generally considered an error condition, as it goes against the entire concept of switching.
So if you're going to have hosts constantly changing ports such that a static configuration of one MAC address per port isn't practical, your options are: 1) configure port security on an upstream port, 2) use VMPS (which the 2950 can't do on it's own -- VMPS Server functionality is required which means either a high-end Cisco switch like a 4000, 5000 or 6500, or a third-party solution like OpenVMPS), or 3) use 802.1x.
Option 1: Upstream port= GigabitEthernet Interface on a Catalyst 3550, currently with this configuration.(in show run). Question: Will setting this to access mode (for secure port) nullify all/some/most of this configuration? FYI: This is the 2nd to last switch in the stack, with the last being the 2950 that all ports will be MAC secured.
switchport trunk encapsulation dot1q
switchport mode trunk
no ip address
mls qos trust cos
auto qos voip trust
wrr-queue bandwidth 20 1 80 0
wrr-queue queue-limit 80 1 20 1
wrr-queue cos-map 1 0 1 2 4
wrr-queue cos-map 3 3 6 7
wrr-queue cos-map 4 5
spanning-tree vlan 20 port-priority 0
The 3550 documentation (for the newest software version) says that, unlike with the 2950s, a trunk port on a 3550 can indeed have port security enabled. So you should be ok there.