MAC address learning while port-security is on

AmitMarx95362 · ‎10-12-2020

can i make two port interfaces from the same stack learn the same MAC address while port security is on?

can i exclude the address from the security table so it won't count?

marce1000 · ‎10-12-2020

- A mac address is only learned when a device is active on a particular port.

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

AmitMarx95362 · ‎10-12-2020

let's say i need to move one device between two rooms occasionally and be able to do it without cleaning port security every time,

on the other hand i don't want to cancel the port security entirely.

MHM Cisco World · ‎10-12-2020

You can make violation not to down the traffic but only generate the log

Andreas Schneider · ‎10-15-2020

Hi,

depending on the switch model, you can implement a mac access-list. It's like an IP access-list but starts at L2, and will prevent any forwarding on a switchport if the MAC is not permitted. It's like port-security but not tied to one switchport. But there is no automatic shutdown mechanism for the switchport.

e.g. create the "mac-access-list" (here only packets with src-mac "0011.2233.4455" will be have access to the network):

mac access-list extended TRUSTED-MACs
permit host 0011.2233.4455 any
deny any any
exit

e.g. apply to all the interfaces which should participate

int range g2/0/1-48
mac access-group TRUSTED-MACs in
exit

This will check all mac addresses learned on all switchports of switch member 2 against the "TRUSTED-MACs". If mac is not in the list, all pakets with this mac will be dropped. Ports without this configuration will not be checked.