From: boby2kusa@hotmail.com
Date: Mon Jul 07 2003 - 16:45:45 GMT-3
A secure port can have from 1 to 128 associated secure addresses. This is
also the total number of available secure addresses on the switch.
You can configure these types of secure MAC addresses:
a.. Static secure MAC addresses-These are manually configured by using the
switchport port-security mac-address mac-address interface configuration
command, stored in the address table, and added to the switch running
configuration.
b.. Dynamic secure MAC addresses-These are dynamically learned, stored
only in the address table, and removed when the switch restarts.
c.. Sticky secure MAC addresses-These can be dynamically learned or
manually configured, stored in the address table, and added to the running
configuration. If these addresses are saved in the configuration file, the
interface does not need to dynamically relearn them when the switch
restarts. Although sticky secure addresses can be manually configured, we do
not recommend it.
a.. protect-When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped until
you remove a sufficient number of secure MAC addresses or increase the
number of maximum allowable addresses. You are not notified that a security
violation has occurred.
a.. restrict-When the number of secure MAC addresses reaches the limit
allowed on the port, packets with unknown source addresses are dropped until
you remove a sufficient number of secure MAC addresses or increase the
number of maximum allowable addresses. In this mode, you are notified that a
security violation has occurred. Specifically, an SNMP trap is sent, a
syslog message is logged, and the violation counter increments.
Per notes above, you can use either protect or restrict, it will deny
traffic from devices whose MAC address is not in the table. Since the
router will only send it's own MAC to the switch, the switch will only learn
one mac address on that port. as noted the switch can secure up to 128 mac
addresses, so you can configured the switch to only limit the switch to
learn only 1 mac address or statically configure the mac address that you
will allow
switchport port-security maximum 1
The above command says that you are allowing only one mac address to be in
the port security table.
To verify which mac address in the the port security table:
switchport port-security maximum 1
And it all here:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/3550scg/s
wtrafc.htm#1038552
----- Original Message -----
From: <Danny.Andaluz@triaton-na.com>
To: <ccielab@groupstudy.com>
Sent: Monday, July 07, 2003 11:59 AM
Subject: port-security 3550
> Hello, Group. Quick question on port security.
>
> interface FastEthernet0/7
> switchport port-security violation protect
>
> r7---cat3550
>
> Will the above config allow the port to only learn r7's MAC and none
other?
> Here's the requirement:
>
> Configure the port attached to R7 to only learn 1 MAC address. If other
> devices are connected to this port, it should not be shut down, but rather
> deny any communications from these new MAC's.
>
> I think the "protect" keyword prevents the port from being shutdown. I'm
> confused about the part where it only learns R7's MAC. If another device
> connects to this port, how does the switch know it's not R7. I'm guessing
> it's dynamic, but is the above all that is needed as far as configurations
> on the cat interface? Shouldn't the command "switchport port-security" be
> added as well? I was looking at the Doc CD, but it's not clear. I'm
> finding conflicting info.
>
> Thanks,
> Danny
>
>
> _______________________________________________________________________
> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:27 GMT-3