Re: Command switchport port-security mac-address vlan access

wfqk · ‎08-30-2018

Hi Cisco switch has one command "switchport port-security mac-addrss xxx.xxx.xxx vlan access". My question is what is difference between with vlan access and without vlan access? Anyone can explain it? Thanks

Reza Sharifi · ‎08-30-2018

Hi,

Without vlan access, the MAC can be learned from any vlan. With vlan access or vlan voice, you can only learne it from that specific vlan.

HTH

balaji.bandi · ‎08-30-2018

it means the MAC need to learn from that VLAN.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

wfqk · ‎08-30-2018

Thank you so much for your reply.

If it means the mac is learned from vlan, so what situation looks like that?

if without vlan access, it acts like normal one. That means the switch learn the mac from some thing like PC, which is connected to the switch port. If with the vlan access, can we say the switch learn mac from the other ports in the switch as long as these ports are in the same vlan?

Reza Sharifi · ‎08-30-2018

Hi,

can we say the switch learn mac from the other ports in the switch as long as these ports are in the same vlan?

No, because this command applies under the interface and the interface belongs to specific vlans (in this case voice and data). So, if you don't specify the vlan, the port can learn it from either vlans but when you specify the vlan, it can only learn it from that vlan.

HTH

wfqk · ‎08-30-2018

Switch learn mac address from its port when device such as PC plugged into the port. How do you say learn mac address from vlan? i guess i miss one concept. Thank you

Reza Sharifi · ‎08-30-2018

Switch learn mac address from its port when device such as PC plugged into the port.

That is correct.

How do you say learn mac address from vlan?

When I say vlan, I mean a physical port that is in a vlan and serving a PC/Laptop, etc..

So, yes, we are saying the same thing.

HTH

wfqk · ‎08-31-2018

Ok now we are at the same page.

" ----- So, if you don't specify the vlan, the port can learn it from either vlans but when you specify the vlan, it can only learn it from that vlan. "

Please see the below configuration for port for example. The switch has vlan 10 and vlan20 and the port f0/50 is in vlan20. The PC is plugged into the port f0/50. if without "vlan access" at end of command "switchport port-security mac-addrss xxxx.xxxx.xxxx ", the switch port can learn mac address from vlan10 in addition to vlan20. if with "vlan access", the mac address can be learned only from vlan20. can you say it like this? Thank you

interface FastEthernet0/50

switchport mode access

switchport access vlan 20

switchport port-security

switchport port-security mac-address 0010.1111.2222 vlan access

Reza Sharifi · ‎08-31-2018

Hi,

can you say it like this?

Yes, that is correct. One correction to your configuration is that if you have 2 vlans (10 and 20) say 10 for voice and 20 for data, the config should look like this

interface FastEthernet0/50

switchport mode access

switchport access vlan 20

switchport voice vlan 10

switchport port-security

switchport port-security mac-address 0010.1111.2222 vlan access

HTH