From: Chris Lewis (chrlewiscsco@yahoo.com)
Date: Wed Nov 30 2005 - 17:03:08 GMT-3
James, good point to bring up the need to setup logging, but I don't follow some of your guidance here.
Why is anything necessary for SNMP? The requirement is to send a log message, presumably by syslog, not an SNMP trap.
To my knowledge the mac notification feature generates an SNMP trap when a MAC address is added or deleted from the MAC table. Where would that help here?
To setup logging, I had thought just to configure logging A.B.C.D or logging buffered
Am I missing something?
Chris
James Matrisciano <jmatrisciano@kenttech.com> wrote:
Add sticky, add in the max amount of MAC addresses you want to learn
then set up the log to shoot over SNMP to a logging server, use the
mac-notifications log
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Chris Lewis
Sent: Wednesday, November 30, 2005 2:54 PM
To: Chad Hintz; El ayachi HADEK; ccie lab
Subject: RE: Port Security
To not lose the mac address could be accomplished with sticky on the
port security configuration. As long as the switch can drop packets from
the non specified source address, your original config looks good to me
if you added sticky.
Chris
Chad Hintz wrote:
Yes If it detects another mac-address it will not shutdown the port
but it will log a message. Is this possible? Also if it reboots it
should not lose the mac address entered.
Chris Lewis wrote: I don't think there is an
option to log on MAC ACLs on a 3550.
The issue I have here is in the wording of your question. If by "and if
another is detect to continue to forward packets but log a message" you
mean it only has to forward packets from the one address you have
identified, I think your configuration is good. If it has to orward the
packets from the non-specified adress and log a message, that is a
different situation and I don't know how to do that.
Chris
Chad Hintz wrote:
I do not see a log option with mac acls on the doc cd. Am I missing
something? Brians? Scott? all the other experts???
Chris Lewis wrote: Can you share an example of using the log option with
MAC ACLs?
El ayachi HADEK wrote: violation traffic will be dropped, there is no
other choice.
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550s
cg/s
wtrafc.htm#wp1038501
you can use mac acl with the logg option! try it and let me know!
-----Message d'origine-----
De : nobody@groupstudy.com [mailto:nobody@groupstudy.com]De la part de
Chad Hintz Envoye : Wednesday, November 30, 2005 4:57 PM A : ccie lab
Objet : Port Security
Hi All,
I have been trying to get through a port security question for a
customer and wanted to verify my configuration.
If I wanted to setup the switch to only allow the directly connected
router's mac address to be allowed on the port and if another is detect
to continue to forward packets but log a message. Would this be correct?
Routers' mac:000b.be90.2d72
interface GigabitEthernet0/1
switchport mode access
switchport port-security
switchport port-security violation restrict switchport port-security
mac-address 000b.be90.2d72
Thanks,
Chad
---------------------------------
Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
This archive was generated by hypermail 2.1.4 : Thu Dec 01 2005 - 09:12:08 GMT-3