RE: port-security 3550

From: Danny.Andaluz@triaton-na.com
Date: Mon Jul 07 2003 - 17:12:26 GMT-3

• Next message: boby2kusa@hotmail.com: "Re: port-security 3550"
• Previous message: James.Jackson@broadwing.com: "RE: port-security 3550"
• Maybe in reply to: Danny.Andaluz@triaton-na.com: "port-security 3550"
• Next in thread: boby2kusa@hotmail.com: "Re: port-security 3550"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

That definitely helps. It's pretty clear to me now. Thank you all for your
responses.

Danny

-----Original Message-----
From: John Humphrey [mailto:john.humphrey@txkisd.net]
Sent: Monday, July 07, 2003 4:05 PM
To: Andaluz, Danilo, Triaton/NA
Cc: matijevi@bellsouth.net
Subject: RE: port-security 3550

It will not ignore the commands. It will accept and apply them. It would
look at it's mac-address table (show mac-address-table will help you
visualize this) and use the first host that it learns. In other words,
port-security doesn't disable the switch's normal "Blocking, Listening,
Learning, Forwarding" mechanism. After the learning phase, it will say "hey
I can only allow 1 mac-address through here, so I can't let anyone else
through." I know this might over-simplify matters, but it helps to visualize
it. Hope this helps.

jh

> So if I don't specify a MAC address and only specify "switchport
> port-security violation protect" and "switchport port-security maximum
> 1, the switch will ignore these commands?
>
> Danny
>
> -----Original Message-----
> From: John Matijevic [mailto:matijevi@bellsouth.net]
> Sent: Monday, July 07, 2003 3:56 PM
> To: Andaluz, Danilo, Triaton/NA; john.humphrey@txkisd.net
> Cc: ccielab@groupstudy.com
> Subject: Re: port-security 3550
>
>
> Hello,
> Again the switch would not know, you have to specify using the
> switchport port-security mac-address. Sincerely, Matijevic
>
> ----- Original Message -----
> From: Danny.Andaluz@triaton-na.com
> <mailto:Danny.Andaluz@triaton-na.com> To: matijevi@bellsouth.net
> <mailto:matijevi@bellsouth.net> ; john.humphrey@txkisd.net
> <mailto:john.humphrey@txkisd.net> Cc: ccielab@groupstudy.com
> <mailto:ccielab@groupstudy.com>
> Sent: Monday, July 07, 2003 3:57 PM
> Subject: RE: port-security 3550
>
>
> I was wondering how the switch decides what that 1 MAC address will
> be. I think it's the first one it sees on the interface. How else
> would it know what to allow if you don't specify a MAC address?
>
> Danny
>
> -----Original Message-----
> From: John Matijevic [mailto:matijevi@bellsouth.net
> <mailto:matijevi@bellsouth.net> ] Sent: Monday, July 07, 2003 3:51 PM
>
> To: John Humphrey; Andaluz, Danilo, Triaton/NA
> Cc: ccielab@groupstudy.com <mailto:ccielab@groupstudy.com>
> Subject: Re: port-security 3550
>
>
> Hello,
> It looks like from your scenerio that you could use either protect or
> restrict. And you will need port-security maximum 1 command to limit
> to one mac-address. Sincerely, Matijevic
>
> ----- Original Message -----
> From: "John Humphrey" <john.humphrey@txkisd.net>
> To: <Danny.Andaluz@triaton-na.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Monday, July 07, 2003 3:38 PM
> Subject: Re: port-security 3550
>
>
>> I think you need the following commands per DocCD. Check out this url
>> as a reference:
>> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/35
>> 5
>>
<http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12113ea1/355>
>> 0scg
>> /swtrafc.htm#1038546
>>
>> int f0/x
>> switchport port-security maximum 1 --> sets maximum # of learned MAC
>>
>> to 1 switchport port-security mac-address xxxx.xxxx.xxxx --> R7's
>> MAC
>>
>> This scenario would probably warrant the "switchport port-security
>> violation restrict" or "switchport port-security violation protect".
>> It just depends on whether or not you want an SNMP trap sent or not.
>>
>> Hope this helps.
>>
>> > Hello, Group. Quick question on port security.
>> >
>> > interface FastEthernet0/7
>> > switchport port-security violation protect
>> >
>> > r7---cat3550
>> >
>> > Will the above config allow the port to only learn r7's MAC and
>> > none other? Here's the requirement:
>> >
>> > Configure the port attached to R7 to only learn 1 MAC address. If
>> > other devices are connected to this port, it should not be shut
>> > down, but rather deny any communications from these new MAC's.
>> >
>> > I think the "protect" keyword prevents the port from being
>> > shutdown. I'm confused about the part where it only learns R7's
>> > MAC. If another device connects to this port, how does the switch
>> > know it's not R7. I'm guessing it's dynamic, but is the above all
>> > that is needed as far as configurations on the cat interface?
>> > Shouldn't the command "switchport port-security" be added as well?
>> > I was looking at the Doc CD, but it's not clear. I'm finding
>> > conflicting info.
>> >
>> > Thanks,
>> > Danny
>> >
>> >
>> > ___________________________________________________________________
>> > _
>> > ___
>> > You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>> >
>> >
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> > <http://www.groupstudy.com/list/CCIELab.html>
>>
>>
>> _____________________________________________________________________
>> _
>> _
>> You are subscribed to the GroupStudy.com CCIE R&S Discussion Group.
>>
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>> <http://www.groupstudy.com/list/CCIELab.html>

• Next message: boby2kusa@hotmail.com: "Re: port-security 3550"
• Previous message: James.Jackson@broadwing.com: "RE: port-security 3550"
• Maybe in reply to: Danny.Andaluz@triaton-na.com: "port-security 3550"
• Next in thread: boby2kusa@hotmail.com: "Re: port-security 3550"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Aug 06 2003 - 06:52:27 GMT-3