cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1746
Views
5
Helpful
4
Replies

Simple "Secure MAC Address" Behaviour Question

matthew1471
Level 1
Level 1

Just out of curiosity:

PORT1 has a "Secure MAC Address" added (MAC1) and port security set to lock down on a security violation.

PORT2 has no port security.

PORT2 is mirrored to PORT10.

I plugged device with MAC1 into PORT2 and started capturing the traffic via PORT10.

MAC1 made requests on PORT2 but I believe no responses were delivered to PORT2.

Lunchtime conversation at work lead to one guy declaring this is not standard IOS behaviour and is some quirk on the SG300.

Is this standard Cisco switch behaviour? Just SG300 behaviour (SG300 does not run IOS)? or am I mistaken on what I thought I saw?

In hindsight I note that to add the "Secure MAC Address" one does visit "MAC Address Tables->Static Addresses" click "Add" and enter in a MAC address selecting "Secure" as the status. This does imply MAC1 is bound to a port and cannot roam. Is this the right way to configure port lockdown?

Thanks,

Matthew

4 Replies 4

rmanthey
Level 4
Level 4

Matthew,

I am reading this with the belief that Port2 has no responses to that MAC address correct?

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

That is correct.

The design is supposed to be similar to the Enterprise counter part, where if a MAC is learned on a port or staticly set with port security then it should not be learned any where else. That traffic will not be forwarded to that MAC address because it will only be seen on the port it was learned.

Cisco Small Business Support Center

Randy Manthey

CCNA, CCNA - Security

That would therefore suggest IOS would do similar. Many thanks for confirming this (and for your time).

As a real world example say one had wireless access points on PORT1 and PORT2 does that mean that wireless client MAC addresses would not be allowed to roam between these 2 access points if port security is set on those 2 ports (or at least if the addresses were learned, until they automatically aged out or were manually cleared)?

So if PORT1 (with DownstairsAP) had learnt automatically LAPTOP1's MAC then LAPTOP1 would not be allowed to use the wireless access point on PORT2 (with UpstairsAP) until it expired from PORT1?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X