cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1351
Views
0
Helpful
1
Replies

port-security for one vlan on trunk

sen_au
Level 1
Level 1

I'm trying to enable port security for some non-Cisco WAPs which have their management IP in a native vlan and tagged traffic for 2 SSIDs on different client vlans.  I want to restrict access in the native vlan to just the WAP's mac address and freely allow clients on the other two vlans.

 

Thinking was I would leave the maximum for the native vlan as 1 and set a high maximum for the other two vlans and leave the learning dynamic (if that worked I was going to look at ageing to keep the dynamic count from growing too high on the client vlans, but I didn't get that far).

 

vlan 100 is my management vlan, 101 and 102 are the two client ones, IOS-XE 16.9.5 on C3850

 

port config example:

interface GigabitEthernet1/0/2
switchport trunk native vlan 100
switchport mode trunk
switchport port-security maximum 1 vlan 100
switchport port-security maximum 1024 vlan 101,102
switchport port-security violation restrict
switchport port-security
end

Originally I didn't have the  "switchport port-security maximum 1 vlan 100" line, thinking it'd default to 1, but as soon as I enabled port security, I got a violation on vlan 100, so added it.  That kept the management IP online and its mac appeared with type "SecureDynamic" in show port-security address, but then I started getting violations for any clients in vlan 101 & 102

 

Am I misunderstanding the per-vlan maximums, and/or is there a better way to do this?

1 Accepted Solution

Accepted Solutions

Rolf Fischer
Level 9
Level 9

Hello,

please try to change the global maximum for this interface first and then restrict on a per-vlan basis, e.g.:

interface GigabitEthernet1/0/2
switchport trunk native vlan 100
switchport mode trunk
switchport port-security maximum 1024
switchport port-security maximum 1 vlan 100
switchport port-security violation restrict
switchport port-security
!

 

View solution in original post

1 Reply 1

Rolf Fischer
Level 9
Level 9

Hello,

please try to change the global maximum for this interface first and then restrict on a per-vlan basis, e.g.:

interface GigabitEthernet1/0/2
switchport trunk native vlan 100
switchport mode trunk
switchport port-security maximum 1024
switchport port-security maximum 1 vlan 100
switchport port-security violation restrict
switchport port-security
!