port security and SPAN

From: Volkov, Dmitry (Toronto - BCE) (dmitry_volkov@xxxxxxxxx)
Date: Fri Aug 30 2002 - 16:35:03 GMT-3

• Next message: Ajit Andrew Mohanraj: "Singapore Lab closing down shortly"
• Previous message: Jim Brown: "RE: Possibility of getting the same exam you got before"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

   
Hi,

cco said : You cannot configure port security on a SPAN destination port and
vice versa
I tried to configure it and it works. What I did:

1) plug sniffer laptop (mac 00-10-4b-a2-e7-39) to port 3/6
2) sw-9> (enable) set span 3/2 3/6
3) sw-9> (enable) set port security 3/6 ena
4) 2002 Aug 30 09:51:46 EST -04:00 %SECURITY-1-PORTSHUTDOWN:Port 3/6
shutdown due t
o security violation - Port went to "shutdown"
5) sw-9> (enable) set port 3/6 enable
And now I have port monitor status and security enabled.
Sniffer captures packets comming to/from port 3/2

sw-9> (enable) sh port 3/6
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ -----
------------
 3/6 monitor 30 high a-full a-100
10/100BaseTX

Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex
----- -------- ----------------- ----------------- -------- -------- -------
 3/6 enabled 00-10-4b-a2-e7-39 No disabled 268

sw-9> (enable) sh span
Status : enabled
Admin Source : Port 3/2
Oper Source : Port 3/2
Destination : Port 3/6
Direction : transmit/receive
Incoming Packets: disabled

6) I unplugged laptop from 3/6 plugged other host to 3/6 (differ mac)
sw-9> (enable) 2002 Aug 30 10:08:39 EST -04:00
%SPANTREE-3-PORTDEL_FAILNOTFOUND:
3/6 in vlan 30 not found (LinkUpdPrcs)
2002 Aug 30 10:08:41 EST -04:00 %SECURITY-1-PORTSHUTDOWN:Port 3/6 shutdown
due t
o security violation

sw-9> (enable) sh port 3/6
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ -----
------------
 3/6 shutdown 30 high auto auto
10/100BaseTX

Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex
----- -------- ----------------- ----------------- -------- -------- -------
 3/6 enabled 00-10-4b-a2-e7-39 00-00-0c-4e-47-88 Yes disabled 268

7) I unplugged this host from 3/6 and plugged laptop back to port 3/6
8) sw-9> (enable) set port enable 3/6
9) sw-9> (enable) sh port 3/6
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ -----
------------
 3/6 monitor 30 high a-full a-100
10/100BaseTX

Port Security Secure-Src-Addr Last-Src-Addr Shutdown Trap IfIndex
----- -------- ----------------- ----------------- -------- -------- -------
 3/6 enabled 00-10-4b-a2-e7-39 No disabled 268

Laptop captures packets.

ANY Comments ?

Thanks,

Dmitry

sw-9> (enable) sh ver
WS-C5000 Software, Version McpSW: 4.5(9) NmpSW: 4.5(9)
Copyright (c) 1995-2000 by Cisco Systems
NMP S/W compiled on Sep 28 2000, 15:21:37
MCP S/W compiled on Sep 28 2000, 15:25:26

• Next message: Ajit Andrew Mohanraj: "Singapore Lab closing down shortly"
• Previous message: Jim Brown: "RE: Possibility of getting the same exam you got before"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Sep 07 2002 - 19:48:43 GMT-3