06-11-2008 08:07 PM - edited 03-05-2019 11:34 PM
Is there a switchport command on a 3750 switch that will only only 1 mac address so that end users can't plug in their own hubs/switches?
I don't want to maintain a mac table, just allow any mac but only 1 mac.
06-11-2008 09:05 PM
Don't have a 3750, but I suspect that if you enable "port-security", the default will likely be to allow only one MAC address.
On a 2950 the syntax would be:
interface FastEthernet0/1
switchport port-security
switchport port-security maximum
Although I wouldn't configure the value as "1" as the default is "1" on that platform (2950), and might cause an issue if set.
You might look for that syntax in your CLI, or something like it.
optional:
switchport port-security violation restrict
switchport port-security mac-address aaaa.bbbb.cccc
06-12-2008 06:14 AM
There are a couple of things that will help you with this issue.
The bpduguard commands, and port-security commands.
BPDUGUARD detects the bridging signals that most switches and hubs use, and will shut down (error-disable) the port when a bpdu is detected.
The command for this on a 3750 is:
interface FastEthernet1/0/1
spanning-tree bpduguard enable
This command can be offset to auto-enable with the following commands at the config prompt:
errdisable recovery cause bpduguard
errdisable recovery interval 900
The above commands cause the error disabled port to automatically re-enable after a period of 900 seconds (15 minutes).
Port security will limit the number of mac addresses allowed on the port to the number you specify (default of 1). This can cause other issues with people that move around from port to port. Considerable thought needs to be exercised before implementing this capability, as you will be called upon to re-enable the ports by performing a shut/no shut to bring the ports back up.
06-12-2008 06:26 AM
You could use the Sticky command in the port security command. That will register the first mac address on that port. If you do though remember to set the maximum mac it should register and what should happen if in case of a violation. Having said that, combine the error recovery command provided earlier with the switchport security command and maximum mac command. You can even hardcode the ports as access ports only ("Switchport mode access").
06-12-2008 06:32 AM
You could use the Sticky command in the port security command. That will register the first mac address on that port. If you do though remember to set the maximum mac it should register and what should happen if in case of a violation. Having said that, combine the error recovery command provided earlier with the switchport security command and maximum mac command. You can even hardcode the ports as access ports only ("Switchport mode access").
interface FastEthernet1/0/1
switchport mode access
switchport port-security mac-address sticky
switchport port-security maximum
spanning-tree bpduguard enable
errdisable recovery cause bpduguard
errdisable recovery interval 900
If you are bold you can use this with the interface range command.
06-13-2008 05:15 AM
This a typical config we use on our 3750's:
interface FastEthernet1/0/6
switchport port-security
switchport port-security aging time 1
switchport port-security violation restrict
switchport port-security aging type inactivity
We dont use the sticky command because if someone wants to swap out their PC. The default is one MAC address per port.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide