Re: Port Security

From: Leigh Harrison (ccileigh@gmail.com)
Date: Thu Dec 01 2005 - 07:30:23 GMT-3

• Next message: joshua lauer: "Re: Internetworkexpert Workbook Order - OT"
• Previous message: Leigh Harrison: "Re: Internetworkexpert Workbook Order - OT"
• Next in thread: jnkmail4eva@yahoo.com: "Re: Re: Port Security"
• Maybe reply: jnkmail4eva@yahoo.com: "Re: Re: Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hey there Kids,

Port security:-

Violation Mode
        
Traffic is forwarded^1 <#wp1120602>
        
Sends SNMP trap
        
Sends syslog message
        
Displays error message^2 <#wp1120794>
        
Violation counter increments
        
Shuts down port

protect

No

No

No

No

No

No

restrict

No

Yes

Yes

No

Yes

No

shutdown

No

Yes

Yes

No

Yes

Yes

A la Cisco:
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550scg/swtrafc.htm#wp1092001

To ensure that the config survives a reboot, then you need to put the
mac address into the config. If you leave it with "sticky" it will
learn and keep the first mac address that it sees - this could be the
new box that I put in when I rebooted your switch ;)

For it to send a message to the syslog, it would really help if you had
it configured!! It will still generate the message, but if you've not
told it to do anything with it - then it won't !!

LH
#15331

Mitchell, TJ wrote:

>All --
>According the Doc CD:
>http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550s
>cg/swacl.htm#wp1177176
>
>there isn't a log option or extended MAC ACL's.
>
>I think that the port-security command is the only way you are going to
>get a log trapped using the restrict option with it.
>
>Thanks
>
>T.J. Mitchell
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
>Chad Hintz
>Sent: Wednesday, November 30, 2005 2:34 PM
>To: Chris Lewis; El ayachi HADEK; ccie lab
>Subject: RE: Port Security
>
>Yes If it detects another mac-address it will not shutdown the port but
>it will log a message. Is this possible? Also if it reboots it should
>not lose the mac address entered.
>
>Chris Lewis <chrlewiscsco@yahoo.com> wrote: I don't think there is an
>option to log on MAC ACLs on a 3550.
>
>The issue I have here is in the wording of your question. If by "and if
>another is detect to continue to forward packets but log a message" you
>mean it only has to forward packets from the one address you have
>identified, I think your configuration is good. If it has to orward the
>packets from the non-specified adress and log a message, that is a
>different situation and I don't know how to do that.
>
>Chris
>
>Chad Hintz wrote:
>I do not see a log option with mac acls on the doc cd. Am I missing
>something? Brians? Scott? all the other experts???
>
>Chris Lewis wrote: Can you share an example of using the log option with
>MAC ACLs?
>
>El ayachi HADEK wrote: violation traffic will be dropped, there is no
>other choice.
>http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225sec/3550s
>cg/s
>wtrafc.htm#wp1038501
>you can use mac acl with the logg option! try it and let me know!
>
>
>
>-----Message d'origine-----
>De : nobody@groupstudy.com [mailto:nobody@groupstudy.com]De la part de
>Chad Hintz
>Envoye : Wednesday, November 30, 2005 4:57 PM
>A : ccie lab
>Objet : Port Security
>
>
>Hi All,
>
>I have been trying to get through a port security question for a
>customer
>and wanted to verify my configuration.
>
>If I wanted to setup the switch to only allow the directly connected
>router's mac address to be allowed on the port and if another is detect
>to
>continue to forward packets but log a message. Would this be correct?
>
>
>Routers' mac:000b.be90.2d72
>
>interface GigabitEthernet0/1
>switchport mode access
>switchport port-security
>switchport port-security violation restrict
>switchport port-security mac-address 000b.be90.2d72
>
>
>Thanks,
>
>Chad
>
>
>---------------------------------
>Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>
>---------------------------------
>Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
>
>
>
>---------------------------------
>Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
>
>
>
>---------------------------------
>Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>---------------------------------
> Yahoo! Music Unlimited - Access over 1 million songs. Try it free.
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: joshua lauer: "Re: Internetworkexpert Workbook Order - OT"
• Previous message: Leigh Harrison: "Re: Internetworkexpert Workbook Order - OT"
• Next in thread: jnkmail4eva@yahoo.com: "Re: Re: Port Security"
• Maybe reply: jnkmail4eva@yahoo.com: "Re: Re: Port Security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon Jan 09 2006 - 07:07:50 GMT-3