08-18-2009 11:53 PM - edited 03-06-2019 07:19 AM
I have just realized that once you perform "no switchport" on a switch, you can no longer perform switchport security on a port.
I would like to have "no switchport" and yet be able to perform a "switchport security" so that I can limit the number of mac addresses connecting to that port.
Is there a way?
Solved! Go to Solution.
08-19-2009 07:27 AM
No.
Those are the limitation you may face when doing L3 switchport. You lose switchport capabilities.
__
Edison.
08-19-2009 05:19 AM
You can't perform switchport related commands - such as security - on a Layer 3 port.
If you need switchport security as part of the design, you must enable switchport features on the port (Layer 2 switchport) and assign this port to a Vlan. You can apply the IP address intended for this switchport under the Switch Virtual Interface (SVI) and will behave the same as applying the IP under the switchport.
HTH,
__
Edison.
08-19-2009 05:26 AM
Hi Edison,
I understand the way to do physical port security. So I'm asking if there's any other way?
Is 802.1x capable of achieving that on a routed port ?
08-19-2009 06:16 AM
You could implement security ACLs ..
dot1x is only available on L2 switchports.
08-19-2009 06:51 AM
> You could implement security ACLs ..
What kind of security ACLs are you referring? Mac filtering access-list ?
> dot1x is only available on L2 switchports.
Thanks for answering.
08-19-2009 06:57 AM
Yes, mac filtering acls.
08-19-2009 07:07 AM
Hi Edison,
> Yes, mac filtering acls.
Thanks. Just wondering if there are any other means, cause I would most likely need to apply the ACLs to all 48 ports of my access switch ports. They have to be 48 different named ACLs.
08-19-2009 07:27 AM
No.
Those are the limitation you may face when doing L3 switchport. You lose switchport capabilities.
__
Edison.
08-20-2009 06:01 AM
Hi Edison,
I just realized that mac acccess-group is not supported on routed port. The option is not available as soon as I did a "no switchport".
Is mac access-group the security ACL you are referring to?
08-20-2009 06:15 AM
You are right, just realized that - my apologies.
I believe the only option is using the mac address-table static global command:
HTH,
__
Edison.
08-20-2009 06:19 AM
Thanks Edison, I'll go check out tomorrow when I get back to office.
Cheers,
Alan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide