02-17-2006 03:06 AM - edited 03-03-2019 01:53 AM
I have the following scenario:
- one switch 2950G-48-EI
- 6 laptops
- 10 drops connected each one on a port of the switch
I'd like to setup port security to allow "roaming" of the 6 laptops on the 10 drops without engaging port security violations
I configured the switch with 2 mac-addresses in order to test the scenario:
!
interface fastethernet0/1
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address aaaa.aaaa.aaaa
switchport port-security mac-address bbbb.bbbb.bbbb
!
interface fastethernet0/2
switchport mode access
switchport port-security
switchport port-security maximum 2
switchport port-security violation restrict
switchport port-security mac-address aaaa.aaaa.aaaa
switchport port-security mac-address bbbb.bbbb.bbbb
!
I have 2 PCs, PC A with MAC aaaa.aaaa.aaaa, PC B with MAC bbbb.bbbb.bbbb.
I connect PC A to Fa0/1. It works fine and pings its default gateway.
I connect PC B to Fa0/2. It doesn't ping its default gateway and the switch doesn't
learn the MAC address. If I disconnect PC A, there is no change. The only way to have PC B working is to connect it to Fast0/1
It seems that MAC aaaa.aaaa.aaaa and bbbb.bbbb.bbbb are strictly assigned to port fa0/1
How can I permit 'roaming' of the laptops maintaining security as well?
Thanks in advance
Stefano
02-17-2006 04:35 AM
Hi Stefano,
A more workable solution may be to use MAC ACLs.
For example,
mac access-list extended SecureHosts
permit host aaaa.aaaa.aaa any
permit host bbbb.bbbb.bbbb any
!
interface fastethernet0/1
mac access-group SecureHosts in
!
interface fastethernet0/2
mac access-group SecureHosts in
!
Hope that helps - pls rate the post if it does.
Paresh
02-17-2006 10:47 AM
Security Violations
It is a security violation when one of these situations occurs:
The maximum number of secure MAC addresses have been added to the address table, and a station whose MAC address is not in the address table attempts to access the interface.
An address learned or configured on one secure interface is seen on another secure interface in the same VLAN.
having said that bullet two is why when moving a laptop to new interface prevents that laptop on connecting through the switch on the new interface. You might want to try adjusting the aging time for the secured mac, but even then you have to tell the users to wait certain amount of time before plugging into the new interface, not very scalable. Previous post suggested mac ACL. I would agree it is a better solution.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: