how to stop learning mac addresses from certain ports

skarthic · ‎01-11-2011

My device-880 router

Design - I want the L2 ports in the 880 router to allow only 2 mac addresses,one voice one data

Configuration- I am statically assigning mac addresses to the ports

like this

Sw(config)#mac-address-table static 4.4.4 interface fastEthernet 0 vlan 2

But what I see is that when I connect another PC, I am learning MAC addresses of the other PC dynamically through this port.

I dont want this to happen.So I need a solution to stop MAC address learning in certain ports only so that it doesnot populate the

mac address table

(or)

Is it possible to enable security so that I allow only 2 mac address per port in the 880 rouetr

Please remember switchport port-security is not suppported here..

Thanks

Karthic.R.S

Latchum Naidu · ‎01-11-2011

Hi Karthic,

First, make sure your IOS supports port security. Port security is set at the interface level. First, you set the maximum number of MAC addresses for the switchport (default is 1.

sw(config-if)# switchport port-secu max 1 Then, choose between the three ways of learning MACs.

static - manually configured. command is switchport port-sec mac-add 0011.2233.4455

dynamic - port will learn MAC addresses as usual, but stop learning more addresses when it has reached the max.

sticky - converts dynamic address to static addresses in the running config only. To use this, wait until your switchport has learned the MACs you want, then issue the interface command switchport port-sec mac sticky. As soon as you do this, these MACs become static commands, but in the running config only. You then have to copy run start to make these settings survive a reload.

Next, decide how to handle security violations. A violation occurs either when the max number of MACs is exceeded, or when an address on one secure port is seen on another secure port on the same VLAN. The effects are:

protect - silently drop the packets from the excess MAC addresses.
restrict - drop the packets over the max, and log the event.
shutdown - err-disable the port. This is the default.

Hope this helps you...

Regards,
Naidu.

skarthic · ‎01-11-2011

My device doesnot support switchport security commands.

I should only use mac-address-table secure/static commands..

How can configure security using this command?

Shashank Singh · ‎01-11-2011

Hi Subramaniya,

To block all traffic to or from a MAC address in a specified VLAN, perform this task:

Router(config)# mac-address-table static mac_address vlan vlan_ID drop

Cheers,

Shashank

Please rate the helpful post if it answered your question

skarthic · ‎01-11-2011

Ok let me get my questions one by one

My setup

880 Router (fa1)----PC----IP phone

# I want my switch to allow ony 2 mac addresses through the fa1 interface(the PC's and ip phones')

# I configured

mac-address-table static interface fastethernet 1 vlan 2

I cant configure any more as my version supports only till this...

Cisco(config)#mac-address-table static 3.3.3 interface fastEthernet 2 vlan 2 ?

What happened after configuring

----------------------------------------------

I am still able to learn other mac addresses via the same fa2 port if I connect a host to it.My requirement is I should not be

able to communicate using another hosts in those particular ports. But I am still learning MAC addresses thru STP learning

process and they appear in my CAM table as "dynamic" entries

My question

----------------------

1) since I am learning mac addresses dynamically thru a port, is it possible to stop this without the port-security commands?

2) if not I would like to know what does "mac-address-table secure" command does??

cisco(config)#mac-address-table secure 2.2.2 fastEthernet 2 vlan 2

How does this command differ from the "mac-address-table static" command