cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1241
Views
0
Helpful
4
Replies

MAC address learning while port-security is on

AmitMarx95362
Level 1
Level 1

can i make two port interfaces from the same stack learn the same MAC address while port security is on?

can i exclude the address from the security table so it won't count?

4 Replies 4

marce1000
VIP
VIP

 

 - A mac address is only learned when a device is active on a particular port.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

let's say i need to move one device between two rooms occasionally and be able to do it without cleaning port security every time,

on the other hand i don't want to cancel the port security entirely.

You can make violation not to down the traffic but only generate the log

Hi,

depending on the switch model, you can implement a mac access-list. It's like an IP access-list but starts at L2, and will prevent any forwarding on a switchport if the MAC is not permitted. It's like port-security but not tied to one switchport. But there is no automatic shutdown mechanism for the switchport.

 

e.g. create the "mac-access-list" (here only packets with src-mac "0011.2233.4455" will be have access to the network):

mac access-list extended TRUSTED-MACs
permit host 0011.2233.4455 any
deny any any
exit

e.g. apply to all the interfaces which should participate

int range g2/0/1-48
mac access-group TRUSTED-MACs in
exit

This will check all mac addresses learned on all switchports of switch member 2 against the "TRUSTED-MACs". If mac is not in the list, all pakets with this mac will be dropped. Ports without this configuration will not be checked.

 

 

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: