Re: Understanding Port-Security in Trunks from Jorge Cortes on 2010-04-09 (Ccielab archives 04/2010)

From: Jorge Cortes <jorge.cortes.cano_at_gmail.com>
Date: Fri, 9 Apr 2010 16:45:23 -0500

Thanks for your comments.

So the behavior is expected, is there a way to limit the amount of
mac-addresses permitted for each vlan in the trunk?

Charlies - I understand this is not common to be used in actual
designs, I just came across this activity and wanted to understand
exactly how it worked, since you can expect anything in the lab.

Regards,
Jorge

On Fri, Apr 9, 2010 at 2:56 PM, Cristian Matei
<cristian.matei_at_datanets.ro> wrote:
> Hi,
>
> While not usually seen, it can be configured on trunk ports as well.
>
> Regards,
> Cristian.
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> spycharlies
> Sent: Friday, April 09, 2010 10:14 PM
> To: Jorge Cortes
> Cc: Cisco certification
> Subject: Re: Understanding Port-Security in Trunks
>
> Buddy, I think you are getting the concept of port security wrong.
>
> Why would you configure port security for trunk ports? your configurations
> with the exception of "...switchport trunk" is meant to be for access ports
>
> C.
>
>
>
> On Fri, Apr 9, 2010 at 11:51 AM, Jorge Cortes
> <jorge.cortes.cano_at_gmail.com>wrote:
>
>> Hi Gs,
>>
>> I have configured port-security in trunk ports and I have come across
>> the following issue. When the port has the following configuration
>> applied:
>>
>> interface FastEthernet0/6
>> switchport trunk encapsulation dot1q
>> switchport trunk allowed vlan 67,146
>> switchport mode trunk
>> switchport port-security maximum 2
>> switchport port-security maximum 1 vlan 67,146
>> switchport port-security
>> switchport port-security aging time 10
>> switchport port-security violation protect
>> switchport port-security aging type inactivity
>>
>> The port is only learning one mac-address, either for VLAN 67 or VLAN
>> 146. I thought that the command "switchport port-security maximum 2"
>> defined the maximum number of mac-addresses that could be learned on
>> the port, and the command "switchport port-security maximum 1 vlan
>> 67,146" defined the maximum number of mac-address per-VLAN. However
>> somehow it looks like the latter command also defines the maximum
>> number of mac-address for the port. These are the outputs of the show
>> commands:
>>
>>
>>
>> Rack1SW2#sh port-security interface fa0/6
>> Port Security : Enabled
>> Port Status : Secure-up
>> Violation Mode : Protect
>> Aging Time : 10 mins
>> Aging Type : Inactivity
>> SecureStatic Address Aging : Disabled
>> Maximum MAC Addresses : 2
>> Total MAC Addresses : 1
>> Configured MAC Addresses : 0
>> Sticky MAC Addresses : 0
>> Last Source Address:Vlan : 001d.4687.fb90:146
>> Security Violation Count : 0
>>
>> Rack1SW2#sh port-security interface fa0/6 vlan 67
>> Default maximum: not set, using 6144
>> VLAN Maximum Current
>> 67 1 0
>> Rack1SW2#sh port-security interface fa0/6 vlan 146
>> Default maximum: not set, using 6144
>> VLAN Maximum Current
>> 146 1 1
>>
>> Althoug the output of these commands indicate that, in fact, up to two
>> mac-addresses can be learned on the port, and one address can be
>> learned for each VLAN on the port, this doesn't seem to be working:
>>
>> Rack1SW2#sh mac add int fa0/6
>> Mac Address Table
>> -------------------------------------------
>>
>> Vlan Mac Address Type Ports
>> ---- ----------- -------- -----
>> 146 001d.4687.fb90 STATIC Fa0/6
>> Total Mac Addresses for this criterion: 1
>>
>>
>> Now, if I change "switchport port-security maximum 1 vlan 67,146" for
>> " switchport port-security maximum 2 vlan 67,146", the issue is gone
>> and the port now learns mac-addresses for boh VLANs.
>>
>> interface FastEthernet0/6
>> switchport trunk encapsulation dot1q
>> switchport trunk allowed vlan 67,146
>> switchport mode trunk
>> switchport port-security maximum 2
>> switchport port-security maximum 2 vlan 67,146
>> switchport port-security
>> switchport port-security aging time 10
>> switchport port-security violation protect
>> switchport port-security aging type inactivity
>>
>>
>> Rack1SW2#sh port-security interface fa0/6
>> Port Security : Enabled
>> Port Status : Secure-up
>> Violation Mode : Protect
>> Aging Time : 10 mins
>> Aging Type : Inactivity
>> SecureStatic Address Aging : Disabled
>> Maximum MAC Addresses : 2
>> Total MAC Addresses : 2
>> Configured MAC Addresses : 0
>> Sticky MAC Addresses : 0
>> Last Source Address:Vlan : 001d.4687.fb90:67
>> Security Violation Count : 0
>>
>> Rack1SW2#sh port-security interface fa0/6 vlan 67
>> Default maximum: not set, using 6144
>> VLAN Maximum Current
>> 67 2 1
>> Rack1SW2#sh port-security interface fa0/6 vlan 146
>> Default maximum: not set, using 6144
>> VLAN Maximum Current
>> 146 2 1
>>
>>
>>
>> Rack1SW2#sh mac add int fa0/6
>> Mac Address Table
>> -------------------------------------------
>>
>> Vlan Mac Address Type Ports
>> ---- ----------- -------- -----
>> 67 001d.4687.fb90 STATIC Fa0/6
>> 146 001d.4687.fb90 STATIC Fa0/6
>> Total Mac Addresses for this criterion: 2
>>
>>
>> I am running image "flash:c3560-advipservicesk9-mz.122-44.SE2.bin"
>>
>> Am I misunderstanding something here?
>>
>> Thanks,
>> Jorge
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri Apr 09 2010 - 16:45:23 ART

This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART