Re: Port security question

Patrick McHenry · ‎01-07-2011

Was wondering if it is possible to allow the same mac addresses with port security to more that one port on a switch. For instance; we want to secure our Conference room ports. There is more than one port per Conference room but, they go to the same switch. How can I secure more than one switchport from the same switch, with the same device MACs?

Thanks, Pat.

Mahesh Gohil · ‎01-07-2011

Hello,

If you are configuring sticky mac with port-security it will not allow you to do so and give duplicacy error.

But you can bind mac to any port via. global command but you need to disable port-security

(config)#mac address-table static 0027.0dc9.9600 vlan 101 interface gig1/0/7
(config)#mac address-table static 0027.0dc9.9600 vlan 101 interface gig1/0/8

Regards

Mahesh

cadet alain · ‎01-07-2011

Hi mahesh,

Isn't this a security concern as I suppose all frames destined to this MAC will be sent on both ports?

Regards.

Alain.

Don't forget to rate helpful posts.

Yogesh Ramdoss · ‎01-07-2011

Mahesh,

I tried in the lab, and it takes the last configuration.

mac address-table static 0027.0dc9.9600 vlan 101 interface gig1/1
mac address-table static 0027.0dc9.9600 vlan 101 interface gig1/2

est#sh mac-address-table

Legend: * - primary entry

age - seconds since last seen
n/a - not available

vlan mac address type learn age ports
------+----------------+--------+-----+----------+-------
* 101 0027.0dc9.9600 static No - Gi1/2

- Yogesh

Patrick McHenry · ‎01-07-2011

Mahesh,

Can I have port-security enabled for some ports and still bind addresses on other ports

as long as the ports I bind to have sticky disabled and the macs aren't a mac for other sticky ports?

Confusing question?

Pat

cadet alain · ‎01-07-2011

Hi Pat,

I should work as long as the mac addresses aren't secure addresses because then you'll get a mac-move violation.

Regards.

Alain.

Don't forget to rate helpful posts.

Patrick McHenry · ‎01-07-2011

Thank Alain, I'll give it a shot.

Patrick McHenry · ‎01-07-2011

what if, for instance if both ports in one conference room are being used by two devices that have static mappings to both ports and are being used at the same time? Won't both devices get each others traffic?

Pat

cadet alain · ‎01-07-2011

hi,

that's what I asked in above post:

Hi mahesh,

Isn't this a security concern as I suppose all frames destined to this MAC will be sent on both ports?

Regards.

Alain.

Don't forget to rate helpful posts.

Patrick McHenry · ‎01-07-2011

yea I guess it is the same question but, I'm thinking of it more as a traffic concern.

cadet alain · ‎01-07-2011

Hi,

yes then traffic wise it won't be passed to OSI layer 3 as the ip will be different but it will consume bw, all this in the case it is sent to both ports

which should be the behaviour.

Regards.

Alain.

Don't forget to rate helpful posts.

Patrick McHenry · ‎01-07-2011

Yogesh, what platform are you using?

Yogesh Ramdoss · ‎01-07-2011

Patrick,

The above logs are from a Cat6500.

I tried the same in Cat 3560v2, and I am able to configure a static CAM entry for more than one port

mac address-table static 0011.2222.3333 vlan 101 interface FastEthernet0/6

mac address-table static 0011.2222.3333 vlan 101 interface FastEthernet0/5

3560V2#sh mac address-table static
Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
101    0011.2222.3333    STATIC      Fa0/5 Fa0/6

- Yogesh

Patrick McHenry · ‎01-07-2011

cool. Thank you.

Patrick McHenry · ‎01-07-2011

what if, for instance if both ports in one conference room are being used by two devices that have static mappings to both ports and are being used at the same time? Won't both devices get each others traffic?

Pat.