cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
983
Views
0
Helpful
10
Replies

Port Security Issue

 

Hello,

 

I have configured a port security feature on switch port Gi1/0/13 which allows only two mac addresses to be forwarded (See image_1). the switch port is connected to a wireless access point where clients can access to a local network.

based on my configuration that i have done, it seems that port security in not doing his work, it allows all the mac addresses to be learnt and be forwarded (see image_2).

does someone has explanation?

did i miss some configuration?

 

your help is greatly appreciated.

 

 

 

1 Accepted Solution

Accepted Solutions

Hello,

 

Unfortunately, that's not how that command works:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

 

Switch(config-if)# switchport port-security 
mac-address mac_address 

"Optional) Enters a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned."

 

This means if your maximum is 10 and you configure 2 static macs, the remaining 8 mac addresses will be dynamically learned. If you only want to allow those two you need to change your command "switchport port-secuirty maximum 10" to "switchport port-security maximum 2"

 

Hope that helps!

-Bradley Selzer
CCIE# 60833

View solution in original post

10 Replies 10

brselzer
Cisco Employee
Cisco Employee

Hello,

 

It doesn't seem like your pictures posted. Can you copy and paste the config? Thanks!

 

-Bradley Selzer
CCIE# 60833

 

You have port-security max 10 command. That will enable 10 MAC addresses on the port before err-disabling.

 

You can verify this with the show port-security interface "interface" command.
Maximum MAC Addresses      : 10

 

Please mark helpful posts.

Image_2.jpgimage_1.jpg

If you only want 2 devices to connect,

switchport port-security maximum 2

 

Please mark helpful posts.

 

Hello,

you can notice that i have allowed only two mac addresses, if you see to the CAM table, the interface allows more than two MACs to be learnt. why?

basically, it should allows only the two MACs addresses configured even if the maximum number configured is more that 2.

 

Hello,

 

Unfortunately, that's not how that command works:

 

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst4500/12-2/25ew/configuration/guide/conf/port_sec.html

 

Switch(config-if)# switchport port-security 
mac-address mac_address 

"Optional) Enters a secure MAC address for the interface. You can use this command to enter the maximum number of secure MAC addresses. If you configure fewer secure MAC addresses than the maximum, the remaining MAC addresses are dynamically learned."

 

This means if your maximum is 10 and you configure 2 static macs, the remaining 8 mac addresses will be dynamically learned. If you only want to allow those two you need to change your command "switchport port-secuirty maximum 10" to "switchport port-security maximum 2"

 

Hope that helps!

-Bradley Selzer
CCIE# 60833

Hello,

this get me a bit confused.

based on what you have said, here is what i have noticed : 

 

1. the output shows that all the addresses are statically learnt not dynamically.

2. let's say that i have configured all the 10 MACs. suppose that one MAC is absent for this day (a user is absent), which means an empty entry is available, so it might be an illegitimate user can access to my network. how i should

mitigate that kind of threat.

3. what get me really confused is that : even if i have configured the maximum number to be 2, the first address that has connected to the network will be learnt although it does not exist on my configuration.

 

I hope you get my point.

you help is greatly appreciated.

 

Hello,

 

1. the output shows that all the addresses are statically learnt not dynamically.

      -Any mac learned on a port-security port will be set as static even if the port doesn't have mac addresses configured. This is because port-security aging times can be set differently than the global dynamic mac aging. 

 

2. let's say that i have configured all the 10 MACs. suppose that one MAC is absent for this day (a user is absent), which means an empty entry is available, so it might be an illegitimate user can access to my network. how i should

mitigate that kind of threat.

    -In your current configuration of max 10 and only 2 hosts configured. If one of the extra 8 hosts leave for the day and their mac is aged out anyone else will be able to plug into that port. However, if there are already 8 hosts and one of the 2 configured macs leave, another person will not be able to connect. When you configure the two macs, it reserves 2 slots for those and only 8 more can be learned dynamically. 

 

 

3. what get me really confused is that : even if i have configured the maximum number to be 2, the first address that has connected to the network will be learnt although it does not exist on my configuration.

    -No, as mentioned above when you configure a mac, a slot is set aside for that mac and no other mac can be learned in that slot. This means that if two macs are configured and the max is 2, only those two macs can be learned even if those hosts are not connected at that time. 

 

Hope that helps!

-Bradley Selzer
CCIE# 60833

 

Hello, 

 

i got it.

thanks

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: