Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Switchport port-security by mac address

Below is the config for our c3550 running I9K2M.

You will notice that the 5 static mac-address are the same between port 0/37 and port 0/38.

Those 5 mac-address devices are floaters, and we want them locked down but flexible to move between the 2 port locations. However when ever we plug in one device on that mac-address list, it automatically shutsdown the other port interface.

So for example if the first mac-address on the list 0012.a121.88bc is plugged into port f0/37, port f0/38 is shutdown also so that no other devices can get on on port f0/38.

Is there a fix/workaround for this? or is this an IOS bug?

Thanks

======================================

interface FastEthernet0/37

description abcsystems - 8E22

switchport access vlan 804

switchport mode access

switchport pot security maximum 5

switchport pot security violation restrict

switchport pot security mac-address 0012.a121.88bc

switchport pot security mac-address 0022.b131.88cc

switchport pot security mac-address 0033.b151.88dd

switchport pot security mac-address 0044.c141.88ee

switchport pot security mac-address 0055.c161.88ff

no ip address

logging event spanning-tree status

logging event bundle-status

logging event trunk-status

no mdix auto

power inline never

storm-control broadcast level 50.00

spanning-tree portfast

!

interface FastEthernet0/38

description abcsystems - 8E332

switchport access vlan 804

switchport mode access

switchport pot security maximum 5

switchport pot security violation restrict

switchport pot security mac-address 0012.a121.88bc

switchport pot security mac-address 0022.b131.88cc

switchport pot security mac-address 0033.b151.88dd

switchport pot security mac-address 0044.c141.88ee

switchport pot security mac-address 0055.c161.88ff

no ip address

logging event spanning-tree status

logging event bundle-status

logging event trunk-status

no mdix auto

power inline never

storm-control broadcast level 50.00

spanning-tree portfast

3 REPLIES

Re: Switchport port-security by mac address

Not a bug. This is how port security works:

***

Security Violations

It is a security violation when one of these situations occurs:

•The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.

•An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

***

See second bullet above.

Also, please read the configuration guide:

http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225see/scg/swtrafc.htm#wp1038546

Community Member

Re: Switchport port-security by mac address

Dear Roberto,

We switched from Extreme Network to Cisco Switching gear 3550/3560 and 6509/6313. And on the Extreme Network we could do this. E.g. we could assign the same 5 mac addresses to 3 different ports and it would allow a portable medical device on wheels in our facility to move to a different patient room. But the Cisco switch doesn't allow this.

So, would these 2 scenario work-arounds work?

1. What if we assigned a different VLAN to each port but kept the same 5 Mac Addresses on each port.

We could assign the two VLAN's to the same gateway, using either a 29 or 30 bit mask of 255.255.255.252 or 255.255.255.248. Right now the gateway is a class C, 255.255.255.0

2. What if clustered the switches, and used a different switch, (another 3550) on a separate VLAN for the one port with the 5 Mac addresses, and then on a second switch with a different VLAN with the same 5 Mac's. The catch is the IP addresses need to be the same. that is the problem. These 5 mobile devices report to another medical device, that looks for the static IP address.

Thanks

Re: Switchport port-security by mac address

Scenario one would not work since it really does not depend on the vlan. the switch will still see the mac address being a secured mac address on one port and then learned on another port will trigger a port security violation.

scenario might work but not clustered since cluster would mean the commander swill still see the port violation. However, if they are just trunked it might work.

605
Views
5
Helpful
3
Replies
CreatePlease to create content