Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Problem with port-security and MAC addresses learning disabled?

Hello,

Is there any problem, or incompatibility, if you configure port-security on 'n' ports that belong to X vlan and also disable mac-address-table learning over that vlan?

Has anyone references, links or pdfs about this issue?

Thank you very much,

Best Regards.

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: Problem with port-security and MAC addresses learning disabl

Hi Javier,

As I showed above the combination is valid. I didn't put any static entries in port-security but any entries learned via port-security will be shown as static when issuing show mac address-table. All dynamic learning is off.

I'm not sure what kind of security issue you are trying to solve but the configuration is valid.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
3 REPLIES
Silver

Re: Problem with port-security and MAC addresses learning disabl

What is the reason for disabling MAC learning?

Seems to be working from what I can see:

Switch#sh run int f0/1

Building configuration...

Current configuration : 119 bytes

!

interface FastEthernet0/1

switchport mode access

switchport port-security maximum 2

switchport port-security

Switch#show mac add vlan 1 | i Fa

   1    0012.00f0.b9a0    STATIC      Fa0/1

Switch#show port-security

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action

                (Count)       (Count)          (Count)

---------------------------------------------------------------------------

      Fa0/1              2            1                  0         Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port)     : 0

Max Addresses limit in System (excluding one mac per port) : 6144

Switch#show port-security interface fa0/1

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 1

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0012.00f0.b9a0:1

Security Violation Count   : 0

There is another device connected to Fa0/3.

Switch#sh run int fa0/3

Building configuration...

Current configuration : 57 bytes

!

interface FastEthernet0/3

switchport mode access

R3#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

Traffic flows, traffic is flooded to R3 because no MAC address was learned there when port-security was not used.

If we implement blocking of unknown unicast traffic can't flow to R3.

Switch(config)#int f0/3

Switch(config-if)#switchport block unicast

R3#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

So yes, MAC address learning can be disabled even if port-security is used. However traffic will be flooded to all ports in the VLAN. This could be blocked by implementing blocking of unknown unicast as shown above.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
New Member

Re: Problem with port-security and MAC addresses learning disabl

Hello daniel.dib,

For security reasons it's seeking to disable dynamic learning entries on configuring:

(config) no mac-address-table learning vlan

and after that to configure port-security on 'n' interfaces belong to .

I think this configuration should work right although the only entries that will be showing on mac-table would be those statically configured with port-security, isn't it?

Thank you.

Silver

Re: Problem with port-security and MAC addresses learning disabl

Hi Javier,

As I showed above the combination is valid. I didn't put any static entries in port-security but any entries learned via port-security will be shown as static when issuing show mac address-table. All dynamic learning is off.

I'm not sure what kind of security issue you are trying to solve but the configuration is valid.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib CCIE #37149 Please rate helpful posts.
1293
Views
0
Helpful
3
Replies
CreatePlease login to create content