cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1483
Views
0
Helpful
4
Replies

MAC Address Port Monitoring

I am seeking a way to monitor a port to know when more than 3 MAC addresses have been attached to the port.  Port security does not seem to offer a solution because the port is shut down.  I also looked into using an  ACL but that does not seem to over a solution either.  If you know of way will you please share it with me?

Thank you in advance for your help.

4 Replies 4

cadet alain
VIP Alumni
VIP Alumni

Hi,

if you use restrict as violation mode you'll get a log message about the 4th MAC address and the frame will simply get dropped but the port won't be shutdown.

int f0/1

switchport port-security max 3

switchport port-security violation restrict

switchport port-security

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Thank you for your reply.

I made a mistake and did not mention that we cannot shut down anything.  So in our example after the fourth mac address is received the fouth mac would not be able to access the network.  This will not work for us.  I need to know that that mac address and use some type of system to alert me.  Preferably email.

Thank you again for your help.

Hi,

maybe this could help if available on your switch platform/image : http://www.cisco.com/en/US/docs/ios/lanswitch/command/reference/lsw_m1.html#wp1142567

Regards.

Alain

Don't forget to rate helpful posts.

Don't forget to rate helpful posts.

Hello John,

The action restrict will not shut down the port but as you said it will drop the offending packets ( the one comming from an invalid MAC add).

Port-security is not what you are looking for....You are looking for a monitor tool being able to detect the MAC addresses on each port. So use syslog or Netflow

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco