cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
538
Views
0
Helpful
4
Replies

Prevent MAC-Address access on 2950 switch port

bilko2004
Level 1
Level 1

Does anyone know if there is a way to only allow certain mac-addresses to use a particular switchport. I have port-security enabled on my switch ports, however I have two devices that move between two rooms and if I leave port security on the ports it sends them into err-disable. I had to remove port security on the ports, however, I want to make it so only the two systems that are used have access to the switchport. Can I do this with an ACL or is there something else I should use?

4 Replies 4

Hello,

you could configure the command:

switchport port-security [mac-address mac-address] | [mac-address sticky [mac-address]] | [maximum value] | [violation {protect | restrict | shutdown}]

on your ports. Let's say you only want your two MAC addresses to access the ports, you would configure the ports as following:

Switch(config-if)#switchport port-security maximum 2

Switch(config-if)#switchport port-security mac-address XXXX.XXXX.XXXX

Switch(config-if)#switchport port-security mac-address YYYY.YYYY.YYYY

whereby X and Y are your MAC addresses.

HTH,

GP

I had already configured it this way, however I had to remove it because when they unplug the system from one of the ports and plug it into another port on the switch, it puts the port they are trying to use in err-disable state because it detects the mac-address having been on the other port. Any other suggestions?

Hello,

I have not actually tested this, but what happens if you configure the following (in global mode):

mac address-table aging-time 10

errdisable recovery psecure-violation interval 30

This would recover the port within 30 seconds, and (I think) since the MAC-address would be aged out, would not go back into error disabled mode. The drawback is that your clients would have to wait for about 30 seconds after disconnecting and switching to another port...

Regards,

Georg

tbaranski
Level 4
Level 4

Port Security works at the port level, which as you've found doesn't do you any good in this situation. You can filter MAC addresses at the switch level with either VMPS or 802.1X. The 2950 can't act as a VMPS Server, however, so for VMPS you'll need a high-end CatOS switch that can act as a VMPS Server or you can try http://vmps.sourceforge.net/. Information about 802.1X is here: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008022995b.html

Review Cisco Networking for a $25 gift card