Re: Understanding Port-Security in Trunks from spycharlies on 2010-04-09 (Ccielab archives 04/2010)

From: spycharlies <spycharlies_at_gmail.com>
Date: Fri, 9 Apr 2010 13:13:47 -0600

Buddy, I think you are getting the concept of port security wrong.

Why would you configure port security for trunk ports? your configurations
with the exception of "...switchport trunk" is meant to be for access ports

On Fri, Apr 9, 2010 at 11:51 AM, Jorge Cortes
<jorge.cortes.cano_at_gmail.com>wrote:

> Hi Gs,
>
> I have configured port-security in trunk ports and I have come across
> the following issue. When the port has the following configuration
> applied:
>
> interface FastEthernet0/6
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 67,146
> switchport mode trunk
> switchport port-security maximum 2
> switchport port-security maximum 1 vlan 67,146
> switchport port-security
> switchport port-security aging time 10
> switchport port-security violation protect
> switchport port-security aging type inactivity
>
> The port is only learning one mac-address, either for VLAN 67 or VLAN
> 146. I thought that the command "switchport port-security maximum 2"
> defined the maximum number of mac-addresses that could be learned on
> the port, and the command "switchport port-security maximum 1 vlan
> 67,146" defined the maximum number of mac-address per-VLAN. However
> somehow it looks like the latter command also defines the maximum
> number of mac-address for the port. These are the outputs of the show
> commands:
>
>
>
> Rack1SW2#sh port-security interface fa0/6
> Port Security : Enabled
> Port Status : Secure-up
> Violation Mode : Protect
> Aging Time : 10 mins
> Aging Type : Inactivity
> SecureStatic Address Aging : Disabled
> Maximum MAC Addresses : 2
> Total MAC Addresses : 1
> Configured MAC Addresses : 0
> Sticky MAC Addresses : 0
> Last Source Address:Vlan : 001d.4687.fb90:146
> Security Violation Count : 0
>
> Rack1SW2#sh port-security interface fa0/6 vlan 67
> Default maximum: not set, using 6144
> VLAN Maximum Current
> 67 1 0
> Rack1SW2#sh port-security interface fa0/6 vlan 146
> Default maximum: not set, using 6144
> VLAN Maximum Current
> 146 1 1
>
> Althoug the output of these commands indicate that, in fact, up to two
> mac-addresses can be learned on the port, and one address can be
> learned for each VLAN on the port, this doesn't seem to be working:
>
> Rack1SW2#sh mac add int fa0/6
> Mac Address Table
> -------------------------------------------
>
> Vlan Mac Address Type Ports
> ---- ----------- -------- -----
> 146 001d.4687.fb90 STATIC Fa0/6
> Total Mac Addresses for this criterion: 1
>
>
> Now, if I change "switchport port-security maximum 1 vlan 67,146" for
> " switchport port-security maximum 2 vlan 67,146", the issue is gone
> and the port now learns mac-addresses for boh VLANs.
>
> interface FastEthernet0/6
> switchport trunk encapsulation dot1q
> switchport trunk allowed vlan 67,146
> switchport mode trunk
> switchport port-security maximum 2
> switchport port-security maximum 2 vlan 67,146
> switchport port-security
> switchport port-security aging time 10
> switchport port-security violation protect
> switchport port-security aging type inactivity
>
>
> Rack1SW2#sh port-security interface fa0/6
> Port Security : Enabled
> Port Status : Secure-up
> Violation Mode : Protect
> Aging Time : 10 mins
> Aging Type : Inactivity
> SecureStatic Address Aging : Disabled
> Maximum MAC Addresses : 2
> Total MAC Addresses : 2
> Configured MAC Addresses : 0
> Sticky MAC Addresses : 0
> Last Source Address:Vlan : 001d.4687.fb90:67
> Security Violation Count : 0
>
> Rack1SW2#sh port-security interface fa0/6 vlan 67
> Default maximum: not set, using 6144
> VLAN Maximum Current
> 67 2 1
> Rack1SW2#sh port-security interface fa0/6 vlan 146
> Default maximum: not set, using 6144
> VLAN Maximum Current
> 146 2 1
>
>
>
> Rack1SW2#sh mac add int fa0/6
> Mac Address Table
> -------------------------------------------
>
> Vlan Mac Address Type Ports
> ---- ----------- -------- -----
> 67 001d.4687.fb90 STATIC Fa0/6
> 146 001d.4687.fb90 STATIC Fa0/6
> Total Mac Addresses for this criterion: 2
>
>
> I am running image "flash:c3560-advipservicesk9-mz.122-44.SE2.bin"
>
> Am I misunderstanding something here?
>
> Thanks,
> Jorge
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Apr 09 2010 - 13:13:47 ART

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART