Re: Understanding Port-Security in Trunks from Shawn Zandi on 2010-04-09 (Ccielab archives 04/2010)

From: Shawn Zandi <szmetal_at_gmail.com>
Date: Sat, 10 Apr 2010 03:16:55 +0400
Jorge, I think you can enter:
switchport port-security maximum 1 vlan [without VLAN range]
it sets a per-VLAN maximum value... just a guess no time to test it
-- 
-- 
Sincerely,
Shawn Zandi
Network Architect and Consultant
Cisco Certified CCIE x2 (R&S + Security)
Juniper JNCIS x2 (ER & SEC) - Foundry/Brocade BCNE - Procurve Master ASE
(MASE)
Dubai Internet City
web: http://www.shafagh.com
blog: http://blog.shafagh.com
email: shafagh_at_shafagh.com
On Sat, Apr 10, 2010 at 1:45 AM, Jorge Cortes
<jorge.cortes.cano_at_gmail.com>wrote:
> Thanks for your comments.
>
> So the behavior is expected, is there a way to limit the amount of
> mac-addresses permitted for each vlan in the trunk?
>
> Charlies - I understand this is not common to be used in actual
> designs, I just came across this activity and wanted to understand
> exactly how it worked, since you can expect anything in the lab.
>
> Regards,
> Jorge
>
> On Fri, Apr 9, 2010 at 2:56 PM, Cristian Matei
> <cristian.matei_at_datanets.ro> wrote:
> > Hi,
> >
> >        While not usually seen, it can be configured on trunk ports as
> well.
> >
> > Regards,
> > Cristian.
> >
> > -----Original Message-----
> > From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> > spycharlies
> > Sent: Friday, April 09, 2010 10:14 PM
> > To: Jorge Cortes
> > Cc: Cisco certification
> > Subject: Re: Understanding Port-Security in Trunks
> >
> > Buddy, I think you are getting the concept of port security wrong.
> >
> > Why would you configure port security for trunk ports? your
> configurations
> > with the exception of "...switchport trunk" is meant to be for access
> ports
> >
> > C.
> >
> >
> >
> > On Fri, Apr 9, 2010 at 11:51 AM, Jorge Cortes
> > <jorge.cortes.cano_at_gmail.com>wrote:
> >
> >> Hi Gs,
> >>
> >> I have configured port-security in trunk ports and I have come across
> >> the following issue. When the port has the following configuration
> >> applied:
> >>
> >> interface FastEthernet0/6
> >>  switchport trunk encapsulation dot1q
> >>  switchport trunk allowed vlan 67,146
> >>  switchport mode trunk
> >>  switchport port-security maximum 2
> >>  switchport port-security maximum 1 vlan 67,146
> >>  switchport port-security
> >>  switchport port-security aging time 10
> >>  switchport port-security violation protect
> >>  switchport port-security aging type inactivity
> >>
> >> The port is only learning one mac-address, either for VLAN 67 or VLAN
> >> 146. I thought that the command "switchport port-security maximum 2"
> >> defined the maximum number of mac-addresses that could be learned on
> >> the port, and the command "switchport port-security maximum 1 vlan
> >> 67,146" defined the maximum number of mac-address per-VLAN. However
> >> somehow it looks like the latter command also defines the maximum
> >> number of mac-address for the port. These are the outputs of the show
> >> commands:
> >>
> >>
> >>
> >> Rack1SW2#sh port-security interface fa0/6
> >> Port Security              : Enabled
> >> Port Status                : Secure-up
> >> Violation Mode             : Protect
> >> Aging Time                 : 10 mins
> >> Aging Type                 : Inactivity
> >> SecureStatic Address Aging : Disabled
> >> Maximum MAC Addresses      : 2
> >> Total MAC Addresses        : 1
> >> Configured MAC Addresses   : 0
> >> Sticky MAC Addresses       : 0
> >> Last Source Address:Vlan   : 001d.4687.fb90:146
> >> Security Violation Count   : 0
> >>
> >> Rack1SW2#sh port-security interface fa0/6 vlan 67
> >> Default maximum: not set, using 6144
> >> VLAN  Maximum    Current
> >>   67          1          0
> >> Rack1SW2#sh port-security interface fa0/6 vlan 146
> >> Default maximum: not set, using 6144
> >> VLAN  Maximum    Current
> >>  146          1          1
> >>
> >> Althoug the output of these commands indicate that, in fact, up to two
> >> mac-addresses can be learned on the port, and one address can be
> >> learned for each VLAN on the port, this doesn't seem to be working:
> >>
> >> Rack1SW2#sh mac add int fa0/6
> >>          Mac Address Table
> >> -------------------------------------------
> >>
> >> Vlan    Mac Address       Type        Ports
> >> ----    -----------       --------    -----
> >>  146    001d.4687.fb90    STATIC      Fa0/6
> >> Total Mac Addresses for this criterion: 1
> >>
> >>
> >> Now, if I change "switchport port-security maximum 1 vlan 67,146" for
> >> " switchport port-security maximum 2 vlan 67,146", the issue is gone
> >> and the port now learns mac-addresses for boh VLANs.
> >>
> >> interface FastEthernet0/6
> >>  switchport trunk encapsulation dot1q
> >>  switchport trunk allowed vlan 67,146
> >>  switchport mode trunk
> >>  switchport port-security maximum 2
> >>  switchport port-security maximum 2 vlan 67,146
> >>  switchport port-security
> >>  switchport port-security aging time 10
> >>  switchport port-security violation protect
> >>  switchport port-security aging type inactivity
> >>
> >>
> >> Rack1SW2#sh port-security interface fa0/6
> >> Port Security              : Enabled
> >> Port Status                : Secure-up
> >> Violation Mode             : Protect
> >> Aging Time                 : 10 mins
> >> Aging Type                 : Inactivity
> >> SecureStatic Address Aging : Disabled
> >> Maximum MAC Addresses      : 2
> >> Total MAC Addresses        : 2
> >> Configured MAC Addresses   : 0
> >> Sticky MAC Addresses       : 0
> >> Last Source Address:Vlan   : 001d.4687.fb90:67
> >> Security Violation Count   : 0
> >>
> >> Rack1SW2#sh port-security interface fa0/6 vlan 67
> >> Default maximum: not set, using 6144
> >> VLAN  Maximum    Current
> >>   67          2          1
> >> Rack1SW2#sh port-security interface fa0/6 vlan 146
> >> Default maximum: not set, using 6144
> >> VLAN  Maximum    Current
> >>  146          2          1
> >>
> >>
> >>
> >> Rack1SW2#sh mac add int fa0/6
> >>          Mac Address Table
> >> -------------------------------------------
> >>
> >> Vlan    Mac Address       Type        Ports
> >> ----    -----------       --------    -----
> >>  67    001d.4687.fb90    STATIC      Fa0/6
> >>  146    001d.4687.fb90    STATIC      Fa0/6
> >> Total Mac Addresses for this criterion: 2
> >>
> >>
> >> I am running image "flash:c3560-advipservicesk9-mz.122-44.SE2.bin"
> >>
> >> Am I misunderstanding something here?
> >>
> >> Thanks,
> >> Jorge
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net
Received on Sat Apr 10 2010 - 03:16:55 ART
This archive was generated by hypermail 2.2.0 : Sat May 01 2010 - 09:49:57 ART