cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1568
Views
0
Helpful
4
Replies

MAC address learning while port-security is on

AmitMarx95362
Level 1
Level 1

can i make two port interfaces from the same stack learn the same MAC address while port security is on?

can i exclude the address from the security table so it won't count?

4 Replies 4

marce1000
Hall of Fame
Hall of Fame

 

 - A mac address is only learned when a device is active on a particular port.

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

let's say i need to move one device between two rooms occasionally and be able to do it without cleaning port security every time,

on the other hand i don't want to cancel the port security entirely.

You can make violation not to down the traffic but only generate the log

Hi,

depending on the switch model, you can implement a mac access-list. It's like an IP access-list but starts at L2, and will prevent any forwarding on a switchport if the MAC is not permitted. It's like port-security but not tied to one switchport. But there is no automatic shutdown mechanism for the switchport.

 

e.g. create the "mac-access-list" (here only packets with src-mac "0011.2233.4455" will be have access to the network):

mac access-list extended TRUSTED-MACs
permit host 0011.2233.4455 any
deny any any
exit

e.g. apply to all the interfaces which should participate

int range g2/0/1-48
mac access-group TRUSTED-MACs in
exit

This will check all mac addresses learned on all switchports of switch member 2 against the "TRUSTED-MACs". If mac is not in the list, all pakets with this mac will be dropped. Ports without this configuration will not be checked.