Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
773
Views
2
Helpful
8
Replies

Port-Security for 2 switches trunked

antotini
Level 1
Level 1

‎10-04-2024 01:21 AM - edited ‎10-04-2024 01:31 AM

Hi all, I have 2 x 9200L Catalyst trunked together. My objective is after PC1 has been plug into Port1 of SW1, PC1 cannot be plug into SW2 and violation restrict will be triggered. Is this possible or what am I doing wrong here? 

PC1 -> SW1 <---Trunk---> SW2 : PASS
SW1 <---Trunk---> SW2 -> PC1 : Violation Restrict

=====SW1 Config===== 
int g1/0/1 
switchport mode access 
switchport access vlan 100
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky 

int g1/0/2
switchport mode trunk 

=====SW2 Config=====
int g1/0/1 (this is where i try to plug PC1 in) 
switchport mode access 
switchport access vlan 100
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address sticky 

int g1/0/2
switchport mode trunk 

Labels:
0 Helpful
8 Replies 8

MHM Cisco World
VIP
VIP

‎10-04-2024 01:26 AM

Port-security is local to SW which port-security idea is mapped MAC-to-Port 
so make PC1 not accept to connect to SW2 I think you need dot1x

MHM

0 Helpful

antotini
Level 1
Level 1
In response to MHM Cisco World

‎10-04-2024 01:32 AM - edited ‎10-04-2024 01:35 AM

Hi, thanks for the reply. I'm not using 802.1x

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-04-2024 05:07 AM

Look at the guide Lines port security how that works on Cat 9K models.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-9/configuration_guide/sec/b_179_sec_9200_cg/port_security.html

Why do you like to restrict the Device Move from one switch to another switch ?

If you looking to bind the PC to same port, then you need look for sticky MAC. (if you do not like to use any other ports for that device) - this has management over head when the device failed.

If this large environment, there is a different way to deal with Identity system, and you can restrict the user or device only authentication based on the Location of the device only.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

antotini
Level 1
Level 1
In response to balaji.bandi

‎10-04-2024 05:37 AM

Hi balaji, use case is where I have users at level 1 (SW1) which shouldnt be allowed to plug into level 2 switches (SW2)

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to antotini

‎10-04-2024 10:53 AM

If this is only small environment, and the Device not going to move (technically) no intentionally and there is no dynamic movement of that port, then make it sticky mac.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎10-04-2024 03:20 PM

I run this lab for you 

NOTE:- host must be in same vlan

theoretical it must be work and lab below show you that SW-R4 when see aaaa.aaaa.aaaa that already learn from trunk via SW-R3 see it vai also e0/0 the port shut by port-security violation  

BUT BUT this not optimal solution you can face issue when apply it to real network 

try use 802.1x 

MHM

Screenshot (799).png

Screenshot (800).png

0 Helpful

antotini
Level 1
Level 1
In response to MHM Cisco World

‎10-04-2024 08:25 PM

Hi, are you able to share the configs of R3,R4?

MHM Cisco World
VIP
VIP
In response to antotini

‎10-05-2024 06:24 AM

Sure I am out now when I get back to home I will share both SW config 

MHM

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card