After reading about MAC security, it looks like I cannot accomplish what I want due to the desired ports being trunks. Anyone had this issue before and what was the work around? Thanks.
i want to control what traffic on a couple switch ports. yet cisco says i cannot use mac security on ports that are trunked. the ports i want to control are in fact trunked due to our IP phone system.
i'm then wondering what the alternative is, if any, so that i can still control what is going on. these are ports in a public room so we'd much prefer the security to be less than wide open for everyone to grab a DHCP address.
what if the traffic isn't leaving the local subnet, how would an acl on a router help that? i want to prevent people from getting a DHCP lease. anyone with more depth on this subject care to chime in?
Dare I chime in again, heaven forbid I try to help you with your work around, Why not add them to a new unused vlan with nothing else on it? No DHCP no nothing. Then you could prune it from the allowed vlan list on the desired trunk. I'm only trying to help you.
This thing runs CatOS so it took me a while to figure something out:
4506-Upstairs (enable) show port 2/1
* = Configured MAC Address
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
2/1 notconnect 1 normal auto auto 10/100/1000
Port AuxiliaryVlan AuxVlan-Status
----- ------------- --------------
2/1 100 inactive
Port Flooding on Address Limit
----- -------------------------
2/1 Enabled
Port Send FlowControl Receive FlowControl RxPause TxPause Unsupported
admin oper admin oper opcodes
----- -------- -------- --------- --------- ---------- ---------- -----------
2/1 on off desired off 0 0 0
Port Status Channel Admin Ch
Mode Group Id
----- ---------- -------------------- ----- -----
2/1 notconnect auto silent 2 0
Port Status ErrDisable Reason Port ErrDisableTimeout Action on Timeout
---- ---------- ------------------- ---------------------- -----------------
2/1 notconnect - Enable No Change
You could exclude the range and use reservations. That would prevent DHCP from being handed out but a person could still access the network from that port if they new the ip range and subnet.
# ***** NON-DEFAULT CONFIGURATION *****
!
!
#time: Mon Oct 27 2008, 09:05:24
!
#version 8.4(11)GLX
!
!
#system web interface version(s)
set password
set enablepass
set prompt 4506-Upstairs
set config mode text nvram
set banner motd ^C Welcome to the Catalyst 4506, DON'T SCREW ANYTHING UP!!!
Your's truly, Big-Brother. > ^C
!
#dot1x
set feature dot1x-radius-keepalive disable
!
#system
set system name 4506-Upstairs
set system location Upstairs Data Room
set system contact
!
#frame distribution method
set port channel all distribution mac both
!
#snmp
set snmp rmon enable
set snmp chassis-alias Catalyst4506
!
#Local User
set localuser user
privilege 15
!
#vtp
set vtp domain
set vtp mode transparent vlan
set vlan 5 rspan name VLAN0005 state active
set vlan 10 name VoIP type ethernet mtu 1500 said 100010 state active
set vlan 100 name Voice-VLAN type ethernet mtu 1500 said 100100 state active
set vlan 172 name DHCP-VLAN type ethernet mtu 1500 said 100172 state active
set vlan 500 rspan name VLAN0500 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state activ
e stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active st
p ibm
set vlan 1
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve mode srb aremaxhop 7 stemaxhop 7 backupcrf off
!
#ip
set interface sc0 1
set interface sl0 down
255.255.255.0 0.0.0.255
set interface me1 down
set ip route 0.0.0.0/0.0.0.0
set ip route 10.2.0.0/255.255.255.0
set ip alias default 0.0.0.0
!
#syslog
set logging console disable
!
#http configuration
set ip http server enable
!
#multicast filter
set igmp filter disable
!
#module 1 : 2-port 1000BaseX Supervisor
set module name 1 Catalyst4506
!
#module 2 : 48-port 10/100/1000 Ethernet
set module name 2 48-port Gig
set vlan 100 2/9,2/35
set port auxiliaryvlan 2/1 100
set port auxiliaryvlan 2/2 100
set port auxiliaryvlan 2/4 100
set port auxiliaryvlan 2/6 100
set port auxiliaryvlan 2/7 100
set port auxiliaryvlan 2/8 100
set port auxiliaryvlan 2/9 100
set port auxiliaryvlan 2/10 100
set port auxiliaryvlan 2/12 100
set port auxiliaryvlan 2/16 100
set port auxiliaryvlan 2/17 100
set port auxiliaryvlan 2/18 100
set port auxiliaryvlan 2/19 100
set port auxiliaryvlan 2/20 100
set port auxiliaryvlan 2/21 100
set port auxiliaryvlan 2/22 100
set port auxiliaryvlan 2/23 100
set port auxiliaryvlan 2/25 100
set port auxiliaryvlan 2/27 100
set port auxiliaryvlan 2/31 100
set port auxiliaryvlan 2/35 100
set port auxiliaryvlan 2/36 100
set port auxiliaryvlan 2/37 100
set port auxiliaryvlan 2/46 100
set trunk 2/2 auto dot1q 1-1005,1025-4094
set trunk 2/3 on dot1q 1-1005,1025-4094
set trunk 2/4 auto dot1q 1-1005,1025-4094
set trunk 2/6 auto dot1q 1-1005,1025-4094
set trunk 2/7 auto dot1q 1-1005,1025-4094
set trunk 2/8 auto dot1q 1-1005,1025-4094
set trunk 2/9 auto dot1q 1-1005,1025-4094
set trunk 2/10 auto dot1q 1-1005,1025-4094
set trunk 2/12 auto dot1q 1-1005,1025-4094
set trunk 2/16 auto dot1q 1-1005,1025-4094
set trunk 2/17 auto dot1q 1-1005,1025-4094
set trunk 2/18 auto dot1q 1-1005,1025-4094
set trunk 2/19 auto dot1q 1-1005,1025-4094
set trunk 2/20 auto dot1q 1-1005,1025-4094
set trunk 2/21 auto dot1q 1-1005,1025-4094
set trunk 2/22 auto dot1q 1-1005,1025-4094
set trunk 2/23 auto dot1q 1-1005,1025-4094
set trunk 2/25 auto dot1q 1-1005,1025-4094
set trunk 2/27 auto dot1q 1-1005,1025-4094
set trunk 2/35 auto dot1q 1-1005,1025-4094
set trunk 2/37 auto dot1q 1-1005,1025-4094
set trunk 2/46 auto dot1q 1-1005,1025-4094
!
#module 3 empty
!
#module 4 empty
!
#module 5 empty
!
#module 6 empty
!
#switch port analyzer
set rspan destination 2/1 5 inpkts disable learning enable create
end
there is no reason that you can't enable port-security. just do not configure the switchport as an actual trunk because then you can't run port-security (as you know). if all you want is to have the phone hanging off of this interface then leave the maximum set to 1. i don't know what voice solution you are running, but perhaps you could also disable the pc switchport on the phone.
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.