09-21-2020 04:13 PM
I'm trying to enable port security for some non-Cisco WAPs which have their management IP in a native vlan and tagged traffic for 2 SSIDs on different client vlans. I want to restrict access in the native vlan to just the WAP's mac address and freely allow clients on the other two vlans.
Thinking was I would leave the maximum for the native vlan as 1 and set a high maximum for the other two vlans and leave the learning dynamic (if that worked I was going to look at ageing to keep the dynamic count from growing too high on the client vlans, but I didn't get that far).
vlan 100 is my management vlan, 101 and 102 are the two client ones, IOS-XE 16.9.5 on C3850
port config example:
interface GigabitEthernet1/0/2
switchport trunk native vlan 100
switchport mode trunk
switchport port-security maximum 1 vlan 100
switchport port-security maximum 1024 vlan 101,102
switchport port-security violation restrict
switchport port-security
end
Originally I didn't have the "switchport port-security maximum 1 vlan 100" line, thinking it'd default to 1, but as soon as I enabled port security, I got a violation on vlan 100, so added it. That kept the management IP online and its mac appeared with type "SecureDynamic" in show port-security address, but then I started getting violations for any clients in vlan 101 & 102
Am I misunderstanding the per-vlan maximums, and/or is there a better way to do this?
Solved! Go to Solution.
09-21-2020 11:37 PM - edited 09-21-2020 11:46 PM
Hello,
please try to change the global maximum for this interface first and then restrict on a per-vlan basis, e.g.:
interface GigabitEthernet1/0/2
switchport trunk native vlan 100
switchport mode trunk
switchport port-security maximum 1024
switchport port-security maximum 1 vlan 100
switchport port-security violation restrict
switchport port-security
!
09-21-2020 11:37 PM - edited 09-21-2020 11:46 PM
Hello,
please try to change the global maximum for this interface first and then restrict on a per-vlan basis, e.g.:
interface GigabitEthernet1/0/2
switchport trunk native vlan 100
switchport mode trunk
switchport port-security maximum 1024
switchport port-security maximum 1 vlan 100
switchport port-security violation restrict
switchport port-security
!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide