Port-Secure on Trunk

From: gladston@br.ibm.com
Date: Wed Jun 22 2005 - 15:09:20 GMT-3

• Next message: gladston@br.ibm.com: "Re: MQC CoS on 3550"
• Previous message: ccie2be: "ATM CLIP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

R5 is connected to R7 via CAT1
There are two HSRP groups.

So, it is necessary to allow 3 MACs.

R5 is configured as trunk on its connections to CAT1.
R5 transmits frames on vlan native using MAC of e0/0.

So, adds one MAC, resulting in 4 MACs that need to be allowed.

So far, so good.

"switchport port-security maximum" 4 works.

cat1(config-if)#do sh mac-ad int fa 0/5
          Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
  57 0000.0c07.ac01 DYNAMIC Fa0/5
  57 0000.0c07.ac02 DYNAMIC Fa0/5
  57 0030.80ad.d2c0 DYNAMIC Fa0/5
   1 0030.80ad.d2c0 DYNAMIC Fa0/5
Total Mac Addresses for this criterion: 4

But I am not understanding the behaviour of "switchport port-security maximum 3 vlan 57".

Would be this: 'switchport port-security maximum 4' set the maximum number of MACs to 4, for all vlans on this port; 'switchport port-security maximum 3 vlan 57' sets the maximum number of MACs to 3 on Vlan 57; this results on only one address for all others vlans.
If not setting 'switchport port-security maximum 4', 'switchport port-security maximum 3 vlan 57' does not work because IOS understand that it is allowed only one MAC for all vlans on this port.

This also is not enough:

cat1(config-if)#do sh run int fa 0/5

interface FastEthernet0/5
 switchport access vlan 57
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 0000.0c07.ac01 vlan 57
 switchport port-security mac-address 0000.0c07.ac02 vlan 57
 switchport port-security mac-address 0030.80ad.d2c0 vlan 57
 switchport port-security maximum 3 vlan 57
 no ip address
 duplex full
 speed 10
 spanning-tree portfast
end

cat1(config-if)#
02:08:28: %PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address 0000.0c07.ac02 on port FastEthernet0/5.
cat1(config-if)#

It is necessary to use switchport port-security maximum 4 also.

This works:

cat1(config-if)#switchport port-security maximum 4

cat1(config-if)#do sh run int fa 0/5

interface FastEthernet0/5
 switchport access vlan 57
 switchport trunk encapsulation dot1q
 switchport mode trunk
switchport port-security maximum 4
 switchport port-security
 switchport port-security violation restrict
 switchport port-security mac-address 0000.0c07.ac01 vlan 57
 switchport port-security mac-address 0000.0c07.ac02 vlan 57
 switchport port-security mac-address 0030.80ad.d2c0 vlan 57
 switchport port-security maximum 3 vlan 57
 no ip address
 duplex full
 speed 10
 spanning-tree portfast
end

cat1#sh mac-address-table int fa 0/5
          Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
  57 0000.0c07.ac01 DYNAMIC Fa0/5
  57 0000.0c07.ac02 DYNAMIC Fa0/5
  57 0030.80ad.d2c0 DYNAMIC Fa0/5
   1 0030.80ad.d2c0 DYNAMIC Fa0/5
Total Mac Addresses for this criterion: 4
cat1#

• Next message: gladston@br.ibm.com: "Re: MQC CoS on 3550"
• Previous message: ccie2be: "ATM CLIP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3