cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
14633
Views
26
Helpful
5
Replies

configuring port security for multiple mac on multiple ports on 3850

n.bokhar1
Level 1
Level 1

hi guys 

i need to achieve the following objective how can i do that :

 

1- permit only 3 mac addresses on 3 ports or a vlan

2- they can move between ports but no new device can get connected to any one device

 

 

5 Replies 5

Hi

interface range <range of ports> example: interface range g1/0/1-48

<it must be an access mode switchport>

switchport

switchport port-security

switchport port-security maximum 3

switchport port-security violation shutdown

switchport port-security mac-address aaaa.aaaa.aaaa
switchport port-security mac-address aaaa.aaaa.aaab
switchport port-security mac-address aaaa.aaaa.aaac

no shutdown

 

if you set up other mac address (4th) you will see something like:

Total secure mac-addresses on interface FastEthernet0/0 has reached maximum limit.

 

Hope it is useful

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

Hello,

 

the following configuration allows for a maximum of 3 MAC addresses, they will time out after 1 minute, after which a user can move to another port, and nobody else but these 3 MAC addresses are allowed. Is this what you are after ?

 

switchport port-security maximum 3
switchport port-security aging time 1 type inactivity
switchport port-security mac-address 00:A0:C7:12:C9:25
switchport port-security mac-address 00:A0:C7:12:C9:26
switchport port-security mac-address 00:A0:C7:12:C9:27

thanks but when i try to the same config on other ports i get an error message that tells me i have duplicate mac addresses how can i get around this and can i use mac access list in port security?

Hi

I understand, a solution for this situation could be remove the static entries and set up the mac-address sticky and configuring a MAC address ACL (If you want to connect the same 3 mac addresses):

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_data_acl/configuration/xe-3s/asr903/sec-data-acl-xe-3s-asr903-book/mac-access-control-lists.html

 

Also configuring the aging time 

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<

There is one problem with mac access-lists. If there are violations there is no logging at all :-(

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco