Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3067
Views
0
Helpful
3
Replies

Problem with port-security and MAC addresses learning disabled?

Go to solution
Javier .A
Level 1
Level 1

‎12-30-2013 01:08 AM - edited ‎03-10-2019 12:09 AM

Hello,

Is there any problem, or incompatibility, if you configure port-security on 'n' ports that belong to X vlan and also disable mac-address-table learning over that vlan?

Has anyone references, links or pdfs about this issue?

Thank you very much,

Best Regards.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
daniel.dib
Level 7
Level 7
In response to Javier .A

‎12-30-2013 04:53 AM

Hi Javier,

As I showed above the combination is valid. I didn't put any static entries in port-security but any entries learned via port-security will be shown as static when issuing show mac address-table. All dynamic learning is off.

I'm not sure what kind of security issue you are trying to solve but the configuration is valid.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
daniel.dib
Level 7
Level 7

‎12-30-2013 03:26 AM

What is the reason for disabling MAC learning?

Seems to be working from what I can see:

Switch#sh run int f0/1

Building configuration...

Current configuration : 119 bytes

!

interface FastEthernet0/1

switchport mode access

switchport port-security maximum 2

switchport port-security

Switch#show mac add vlan 1 | i Fa

   1    0012.00f0.b9a0    STATIC      Fa0/1

Switch#show port-security

Secure Port  MaxSecureAddr  CurrentAddr  SecurityViolation  Security Action

                (Count)       (Count)          (Count)

---------------------------------------------------------------------------

      Fa0/1              2            1                  0         Shutdown

---------------------------------------------------------------------------

Total Addresses in System (excluding one mac per port)     : 0

Max Addresses limit in System (excluding one mac per port) : 6144

Switch#show port-security interface fa0/1

Port Security              : Enabled

Port Status                : Secure-up

Violation Mode             : Shutdown

Aging Time                 : 0 mins

Aging Type                 : Absolute

SecureStatic Address Aging : Disabled

Maximum MAC Addresses      : 2

Total MAC Addresses        : 1

Configured MAC Addresses   : 0

Sticky MAC Addresses       : 0

Last Source Address:Vlan   : 0012.00f0.b9a0:1

Security Violation Count   : 0

There is another device connected to Fa0/3.

Switch#sh run int fa0/3

Building configuration...

Current configuration : 57 bytes

!

interface FastEthernet0/3

switchport mode access

R3#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

.!!!!

Success rate is 80 percent (4/5), round-trip min/avg/max = 1/2/4 ms

Traffic flows, traffic is flooded to R3 because no MAC address was learned there when port-security was not used.

If we implement blocking of unknown unicast traffic can't flow to R3.

Switch(config)#int f0/3

Switch(config-if)#switchport block unicast

R3#ping 10.0.0.1

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:

.....

Success rate is 0 percent (0/5)

So yes, MAC address learning can be disabled even if port-security is used. However traffic will be flooded to all ports in the VLAN. This could be blocked by implementing blocking of unknown unicast as shown above.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful

Go to solution
Javier .A
Level 1
Level 1
In response to daniel.dib

‎12-30-2013 04:51 AM

Hello daniel.dib,

For security reasons it's seeking to disable dynamic learning entries on configuring:

(config) no mac-address-table learning vlan

and after that to configure port-security on 'n' interfaces belong to .

I think this configuration should work right although the only entries that will be showing on mac-table would be those statically configured with port-security, isn't it?

Thank you.

0 Helpful

Go to solution
daniel.dib
Level 7
Level 7
In response to Javier .A

‎12-30-2013 04:53 AM

Hi Javier,

As I showed above the combination is valid. I didn't put any static entries in port-security but any entries learned via port-security will be shown as static when issuing show mac address-table. All dynamic learning is off.

I'm not sure what kind of security issue you are trying to solve but the configuration is valid.

Daniel Dib
CCIE #37149

Please rate helpful posts.

Daniel Dib
CCIE #37149
CCDE #20160011

Please rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents