Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

switchport security on Catalyst 2950G-48-EI

I have the following scenario:

- one switch 2950G-48-EI

- 6 laptops

- 10 drops connected each one on a port of the switch

I'd like to setup port security to allow "roaming" of the 6 laptops on the 10 drops without engaging port security violations

I configured the switch with 2 mac-addresses in order to test the scenario:

!

interface fastethernet0/1

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address aaaa.aaaa.aaaa

switchport port-security mac-address bbbb.bbbb.bbbb

!

interface fastethernet0/2

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security mac-address aaaa.aaaa.aaaa

switchport port-security mac-address bbbb.bbbb.bbbb

!

I have 2 PCs, PC A with MAC aaaa.aaaa.aaaa, PC B with MAC bbbb.bbbb.bbbb.

I connect PC A to Fa0/1. It works fine and pings its default gateway.

I connect PC B to Fa0/2. It doesn't ping its default gateway and the switch doesn't

learn the MAC address. If I disconnect PC A, there is no change. The only way to have PC B working is to connect it to Fast0/1

It seems that MAC aaaa.aaaa.aaaa and bbbb.bbbb.bbbb are strictly assigned to port fa0/1

How can I permit 'roaming' of the laptops maintaining security as well?

Thanks in advance

Stefano

2 REPLIES
Purple

Re: switchport security on Catalyst 2950G-48-EI

Hi Stefano,

A more workable solution may be to use MAC ACLs.

For example,

mac access-list extended SecureHosts

permit host aaaa.aaaa.aaa any

permit host bbbb.bbbb.bbbb any

!

interface fastethernet0/1

mac access-group SecureHosts in

!

interface fastethernet0/2

mac access-group SecureHosts in

!

Hope that helps - pls rate the post if it does.

Paresh

Re: switchport security on Catalyst 2950G-48-EI

Security Violations

It is a security violation when one of these situations occurs:

•The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.

•An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.

having said that bullet two is why when moving a laptop to new interface prevents that laptop on connecting through the switch on the new interface. You might want to try adjusting the aging time for the secured mac, but even then you have to tell the users to wait certain amount of time before plugging into the new interface, not very scalable. Previous post suggested mac ACL. I would agree it is a better solution.

291
Views
0
Helpful
2
Replies
CreatePlease login to create content