cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
447
Views
0
Helpful
2
Replies

switchport security on Catalyst 2950G-48-EI

s-durando
Level 1
Level 1

I have the following scenario:

- one switch 2950G-48-EI

- 6 laptops

- 10 drops connected each one on a port of the switch

I'd like to setup port security to allow "roaming" of the 6 laptops on the 10 drops without engaging port security violations

I configured the switch with 2 mac-addresses in order to test the scenario:

!

interface fastethernet0/1

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address aaaa.aaaa.aaaa

switchport port-security mac-address bbbb.bbbb.bbbb

!

interface fastethernet0/2

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address aaaa.aaaa.aaaa

switchport port-security mac-address bbbb.bbbb.bbbb

!

I have 2 PCs, PC A with MAC aaaa.aaaa.aaaa, PC B with MAC bbbb.bbbb.bbbb.

I connect PC A to Fa0/1. It works fine and pings its default gateway.

I connect PC B to Fa0/2. It doesn't ping its default gateway and the switch doesn't

learn the MAC address. If I disconnect PC A, there is no change. The only way to have PC B working is to connect it to Fast0/1

It seems that MAC aaaa.aaaa.aaaa and bbbb.bbbb.bbbb are strictly assigned to port fa0/1

How can I permit 'roaming' of the laptops maintaining security as well?

Thanks in advance

Stefano

2 Replies 2

pkhatri
Level 11
Level 11

Hi Stefano,

A more workable solution may be to use MAC ACLs.

For example,

mac access-list extended SecureHosts

permit host aaaa.aaaa.aaa any

permit host bbbb.bbbb.bbbb any

!

interface fastethernet0/1

mac access-group SecureHosts in

!

interface fastethernet0/2

mac access-group SecureHosts in

!

Hope that helps - pls rate the post if it does.

Paresh

Roberto Salazar
Level 8
Level 8

Security Violations

It is a security violation when one of these situations occurs:

•The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.

•An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

having said that bullet two is why when moving a laptop to new interface prevents that laptop on connecting through the switch on the new interface. You might want to try adjusting the aging time for the secured mac, but even then you have to tell the users to wait certain amount of time before plugging into the new interface, not very scalable. Previous post suggested mac ACL. I would agree it is a better solution.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: