cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Cisco announces new innovations in SD-WAN, ISRs, SD-WAN Services, and Catalyst 9000 Series switches


144
Views
0
Helpful
10
Replies
Highlighted

Port Security Issue

 

Hello,

 

I have configured a port security feature on switch port Gi1/0/13 which allows only two mac addresses to be forwarded (See image_1). the switch port is connected to a wireless access point where clients can access to a local network.

based on my configuration that i have done, it seems that port security in not doing his work, it allows all the mac addresses to be learnt and be forwarded (see image_2).

does someone has explanation?

did i miss some configuration?

 

your help is greatly appreciated.

 

 

 

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: Port Security Issue

Hello,

 

Unfortunately, that's not how that command works:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

 

Switch(config-if)# switchport port-security 
mac-address mac_address 

"Optional) Enters a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned."

 

This means if your maximum is 10 and you configure 2 static macs, the remaining 8 mac addresses will be dynamically learned. If you only want to allow those two you need to change your command "switchport port-secuirty maximum 10" to "switchport port-security maximum 2"

 

Hope that helps!

-Bradley Selzer
10 REPLIES
Cisco Employee

Re: Port Security Issue

Hello,

 

It doesn't seem like your pictures posted. Can you copy and paste the config? Thanks!

 

-Bradley Selzer

Re: Port Security Issue

 
Enthusiast

Re: Port Security Issue

You have port-security max 10 command. That will enable 10 MAC addresses on the port before err-disabling.

 

You can verify this with the show port-security interface "interface" command.
Maximum MAC Addresses      : 10

 

Please mark helpful posts.

Re: Port Security Issue

Image_2.jpgimage_1.jpg

Enthusiast

Re: Port Security Issue

If you only want 2 devices to connect,

switchport port-security maximum 2

 

Please mark helpful posts.

Re: Port Security Issue

 

Hello,

you can notice that i have allowed only two mac addresses, if you see to the CAM table, the interface allows more than two MACs to be learnt. why?

basically, it should allows only the two MACs addresses configured even if the maximum number configured is more that 2.

 

Cisco Employee

Re: Port Security Issue

Hello,

 

Unfortunately, that's not how that command works:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

 

Switch(config-if)# switchport port-security 
mac-address mac_address 

"Optional) Enters a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned."

 

This means if your maximum is 10 and you configure 2 static macs, the remaining 8 mac addresses will be dynamically learned. If you only want to allow those two you need to change your command "switchport port-secuirty maximum 10" to "switchport port-security maximum 2"

 

Hope that helps!

-Bradley Selzer

Re: Port Security Issue

Hello,

this get me a bit confused.

based on what you have said, here is what i have noticed : 

 

1. the output shows that all the addresses are statically learnt not dynamically.

2. let's say that i have configured all the 10 MACs. suppose that one MAC is absent for this day (a user is absent), which means an empty entry is available, so it might be an illegitimate user can access to my network. how i should

mitigate that kind of threat.

3. what get me really confused is that : even if i have configured the maximum number to be 2, the first address that has connected to the network will be learnt although it does not exist on my configuration.

 

I hope you get my point.

you help is greatly appreciated.

 

Cisco Employee

Re: Port Security Issue

Hello,

 

1. the output shows that all the addresses are statically learnt not dynamically.

      -Any mac learned on a port-security port will be set as static even if the port doesn't have mac addresses configured. This is because port-security aging times can be set differently than the global dynamic mac aging. 

 

2. let's say that i have configured all the 10 MACs. suppose that one MAC is absent for this day (a user is absent), which means an empty entry is available, so it might be an illegitimate user can access to my network. how i should

mitigate that kind of threat.

    -In your current configuration of max 10 and only 2 hosts configured. If one of the extra 8 hosts leave for the day and their mac is aged out anyone else will be able to plug into that port. However, if there are already 8 hosts and one of the 2 configured macs leave, another person will not be able to connect. When you configure the two macs, it reserves 2 slots for those and only 8 more can be learned dynamically. 

 

 

3. what get me really confused is that : even if i have configured the maximum number to be 2, the first address that has connected to the network will be learnt although it does not exist on my configuration.

    -No, as mentioned above when you configure a mac, a slot is set aside for that mac and no other mac can be learned in that slot. This means that if two macs are configured and the max is 2, only those two macs can be learned even if those hosts are not connected at that time. 

 

Hope that helps!

-Bradley Selzer

Re: Port Security Issue

 

Hello, 

 

i got it.

thanks

 

CreatePlease to create content
Content for Community-Ad
Ask the Expert- DMVPN on Cisco routers