06-11-2004 04:28 AM - edited 03-02-2019 04:19 PM
Does anyone know if there is a way to only allow certain mac-addresses to use a particular switchport. I have port-security enabled on my switch ports, however I have two devices that move between two rooms and if I leave port security on the ports it sends them into err-disable. I had to remove port security on the ports, however, I want to make it so only the two systems that are used have access to the switchport. Can I do this with an ACL or is there something else I should use?
06-11-2004 04:43 AM
Hello,
you could configure the command:
switchport port-security [mac-address mac-address] | [mac-address sticky [mac-address]] | [maximum value] | [violation {protect | restrict | shutdown}]
on your ports. Let's say you only want your two MAC addresses to access the ports, you would configure the ports as following:
Switch(config-if)#switchport port-security maximum 2
Switch(config-if)#switchport port-security mac-address XXXX.XXXX.XXXX
Switch(config-if)#switchport port-security mac-address YYYY.YYYY.YYYY
whereby X and Y are your MAC addresses.
HTH,
GP
06-11-2004 06:26 AM
I had already configured it this way, however I had to remove it because when they unplug the system from one of the ports and plug it into another port on the switch, it puts the port they are trying to use in err-disable state because it detects the mac-address having been on the other port. Any other suggestions?
06-11-2004 01:53 PM
Hello,
I have not actually tested this, but what happens if you configure the following (in global mode):
mac address-table aging-time 10
errdisable recovery psecure-violation interval 30
This would recover the port within 30 seconds, and (I think) since the MAC-address would be aged out, would not go back into error disabled mode. The drawback is that your clients would have to wait for about 30 seconds after disconnecting and switching to another port...
Regards,
Georg
06-11-2004 11:35 AM
Port Security works at the port level, which as you've found doesn't do you any good in this situation. You can filter MAC addresses at the switch level with either VMPS or 802.1X. The 2950 can't act as a VMPS Server, however, so for VMPS you'll need a high-end CatOS switch that can act as a VMPS Server or you can try http://vmps.sourceforge.net/. Information about 802.1X is here: http://www.cisco.com/en/US/products/hw/switches/ps628/products_configuration_guide_chapter09186a008022995b.html
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide