Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Simple "Secure MAC Address" Behaviour Question

Just out of curiosity:

PORT1 has a "Secure MAC Address" added (MAC1) and port security set to lock down on a security violation.

PORT2 has no port security.

PORT2 is mirrored to PORT10.

I plugged device with MAC1 into PORT2 and started capturing the traffic via PORT10.

MAC1 made requests on PORT2 but I believe no responses were delivered to PORT2.

Lunchtime conversation at work lead to one guy declaring this is not standard IOS behaviour and is some quirk on the SG300.

Is this standard Cisco switch behaviour? Just SG300 behaviour (SG300 does not run IOS)? or am I mistaken on what I thought I saw?

In hindsight I note that to add the "Secure MAC Address" one does visit "MAC Address Tables->Static Addresses" click "Add" and enter in a MAC address selecting "Secure" as the status. This does imply MAC1 is bound to a port and cannot roam. Is this the right way to configure port lockdown?

Thanks,

Matthew

Everyone's tags (4)
4 REPLIES
Bronze

Simple "Secure MAC Address" Behaviour Question

Matthew,

I am reading this with the belief that Port2 has no responses to that MAC address correct?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

New Member

Simple "Secure MAC Address" Behaviour Question

That is correct.

Bronze

Simple "Secure MAC Address" Behaviour Question

The design is supposed to be similar to the Enterprise counter part, where if a MAC is learned on a port or staticly set with port security then it should not be learned any where else. That traffic will not be forwarded to that MAC address because it will only be seen on the port it was learned.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

New Member

Re: Simple "Secure MAC Address" Behaviour Question

That would therefore suggest IOS would do similar. Many thanks for confirming this (and for your time).

As a real world example say one had wireless access points on PORT1 and PORT2 does that mean that wireless client MAC addresses would not be allowed to roam between these 2 access points if port security is set on those 2 ports (or at least if the addresses were learned, until they automatically aged out or were manually cleared)?

So if PORT1 (with DownstairsAP) had learnt automatically LAPTOP1's MAC then LAPTOP1 would not be allowed to use the wireless access point on PORT2 (with UpstairsAP) until it expired from PORT1?

930
Views
5
Helpful
4
Replies