Solved: Can't use 'interface range' to restrict by mac address

Andy White · ‎05-21-2012

Hello.

I need to only allow 5 Mac Addresses on a range of ports on a 2955 switch. If I do the following it only changes the first port in the range:

interface range fastEthernet 0/5 - 10

no spanning-tree portfast
switchport port-security
switchport port-security maximum 5
switchport port-security violation restrict
switchport port-security mac-address 00:1D:24:25:F7:AA

switchport port-security mac-address 00:2D:24:9A:56:BB

switchport port-security mac-address 00:1D:24:25:F7:CC
switchport port-security mac-address 00:1D:24:40:E0:DD

switchport port-security mac-address 00:1D:24:20:DC:EE

no shut

However show run will show this on all the ports:

interface FastEthernet0/5

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

switchport port-security mac-address 00:1D:24:25:F7:AA

switchport port-security mac-address 00:2D:24:9A:56:BB

switchport port-security mac-address 00:1D:24:25:F7:CC
switchport port-security mac-address 00:1D:24:40:E0:DD

switchport port-security mac-address 00:1D:24:20:DC:EE

!

interface FastEthernet0/6

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

!

interface FastEthernet0/7

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

!

interface FastEthernet0/8

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

!

interface FastEthernet0/9

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

!

interface FastEthernet0/10

switchport access vlan 10

switchport mode access

switchport port-security

switchport port-security maximum 5

switchport port-security violation restrict

If I try and add the mac address after this happens:

(config-if)# switchport port-security mac-address 00:1D:24:25:F7:AA

Found duplicate mac-address 00:1D:24:25:F7:AA

Can i not use the same mac address across ports?

Thanks

Giuseppe Larosa · ‎05-21-2012

Hello Andy,

the command creates a static entry in CAM table so you cannot have the same MAC address associated to multiple ports at the same time, this is not allowed by port security framework.

On some switching platforms you can have other means to discriminate legitimate users like dynamic ARP inspection and DHCP snooping.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-21-2012

Hello Andy,

the command creates a static entry in CAM table so you cannot have the same MAC address associated to multiple ports at the same time, this is not allowed by port security framework.

On some switching platforms you can have other means to discriminate legitimate users like dynamic ARP inspection and DHCP snooping.

Hope to help

Giuseppe

Andy White · ‎05-21-2012

Hi,

When you put it like that it makes sense, as it would created switching loops I guess otherwise as it has to statically add the mac addresses to the CAM table, STP is doing it's job.

Thanks for the quick reply, we were just try to secure ports to only certain mac addresses.

Regards