Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
mac security question
- Thread starter wowhead
- Start date
cisconooblet
Technical User
Can you expound on that a little bit?
- Thread starter
- #3
Sure, go here:
See that bullet point that says, "port security cannot be configured on a trunk port."
If I still want to control what's going on @ these ports what do i do?
See that bullet point that says, "port security cannot be configured on a trunk port."
If I still want to control what's going on @ these ports what do i do?
cisconooblet
Technical User
I meant can you tell us about your problem in detail.
- Thread starter
- #5
i dont understand, what else do you need to know?
i want to control what traffic on a couple switch ports. yet cisco says i cannot use mac security on ports that are trunked. the ports i want to control are in fact trunked due to our IP phone system.
i'm then wondering what the alternative is, if any, so that i can still control what is going on. these are ports in a public room so we'd much prefer the security to be less than wide open for everyone to grab a DHCP address.
i want to control what traffic on a couple switch ports. yet cisco says i cannot use mac security on ports that are trunked. the ports i want to control are in fact trunked due to our IP phone system.
i'm then wondering what the alternative is, if any, so that i can still control what is going on. these are ports in a public room so we'd much prefer the security to be less than wide open for everyone to grab a DHCP address.
cisconooblet
Technical User
Can you not put them in a vlan and then just use an ACL on the router to allow/block what you want?
- Thread starter
- #7
cisconooblet
Technical User
google "access control list" and see if you can use that.
- Thread starter
- #9
cisconooblet
Technical User
Dare I chime in again, heaven forbid I try to help you with your work around, Why not add them to a new unused vlan with nothing else on it? No DHCP no nothing. Then you could prune it from the allowed vlan list on the desired trunk. I'm only trying to help you.
- Thread starter
- #12
This thing runs CatOS so it took me a while to figure something out:
4506-Upstairs (enable) show port 2/1
* = Configured MAC Address
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
2/1 notconnect 1 normal auto auto 10/100/1000
Port AuxiliaryVlan AuxVlan-Status
----- ------------- --------------
2/1 100 inactive
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
2/1 disabled shutdown 0 0 1 disabled 11
Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left
----- -------- ----------------- -------- ----------------- ------------------
2/1 0 - - - - -
Port Flooding on Address Limit
----- -------------------------
2/1 Enabled
Port Send FlowControl Receive FlowControl RxPause TxPause Unsupported
admin oper admin oper opcodes
----- -------- -------- --------- --------- ---------- ---------- -----------
2/1 on off desired off 0 0 0
Port Status Channel Admin Ch
Mode Group Id
----- ---------- -------------------- ----- -----
2/1 notconnect auto silent 2 0
Port Status ErrDisable Reason Port ErrDisableTimeout Action on Timeout
---- ---------- ------------------- ---------------------- -----------------
2/1 notconnect - Enable No Change
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
----- ---------- ---------- ---------- ---------- ---------
2/1 - 0 0 0 0
Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
----- ---------- ---------- ---------- ---------- --------- --------- ---------
2/1 0 0 0 0 0 0 0
Last-Time-Cleared
--------------------------
Mon Oct 6 2008, 20:54:16
Idle Detection
--------------
--
4506-Upstairs (enable)
sh int doesn't give the same output...is this what you were looking for?
4506-Upstairs (enable) show port 2/1
* = Configured MAC Address
Port Name Status Vlan Level Duplex Speed Type
----- ------------------ ---------- ---------- ------ ------ ----- ------------
2/1 notconnect 1 normal auto auto 10/100/1000
Port AuxiliaryVlan AuxVlan-Status
----- ------------- --------------
2/1 100 inactive
Port Security Violation Shutdown-Time Age-Time Max-Addr Trap IfIndex
----- -------- --------- ------------- -------- -------- -------- -------
2/1 disabled shutdown 0 0 1 disabled 11
Port Num-Addr Secure-Src-Addr Age-Left Last-Src-Addr Shutdown/Time-Left
----- -------- ----------------- -------- ----------------- ------------------
2/1 0 - - - - -
Port Flooding on Address Limit
----- -------------------------
2/1 Enabled
Port Send FlowControl Receive FlowControl RxPause TxPause Unsupported
admin oper admin oper opcodes
----- -------- -------- --------- --------- ---------- ---------- -----------
2/1 on off desired off 0 0 0
Port Status Channel Admin Ch
Mode Group Id
----- ---------- -------------------- ----- -----
2/1 notconnect auto silent 2 0
Port Status ErrDisable Reason Port ErrDisableTimeout Action on Timeout
---- ---------- ------------------- ---------------------- -----------------
2/1 notconnect - Enable No Change
Port Align-Err FCS-Err Xmit-Err Rcv-Err UnderSize
----- ---------- ---------- ---------- ---------- ---------
2/1 - 0 0 0 0
Port Single-Col Multi-Coll Late-Coll Excess-Col Carri-Sen Runts Giants
----- ---------- ---------- ---------- ---------- --------- --------- ---------
2/1 0 0 0 0 0 0 0
Last-Time-Cleared
--------------------------
Mon Oct 6 2008, 20:54:16
Idle Detection
--------------
--
4506-Upstairs (enable)
sh int doesn't give the same output...is this what you were looking for?
- Thread starter
- #15
- Thread starter
- #19
# ***** NON-DEFAULT CONFIGURATION *****
!
!
#time: Mon Oct 27 2008, 09:05:24
!
#version 8.4(11)GLX
!
!
#system web interface version(s)
set password
set enablepass
set prompt 4506-Upstairs
set config mode text nvram
set banner motd ^C Welcome to the Catalyst 4506, DON'T SCREW ANYTHING UP!!!
Your's truly, Big-Brother. >
^C
!
#dot1x
set feature dot1x-radius-keepalive disable
!
#system
set system name 4506-Upstairs
set system location Upstairs Data Room
set system contact
!
#frame distribution method
set port channel all distribution mac both
!
#snmp
set snmp rmon enable
set snmp chassis-alias Catalyst4506
!
#Local User
set localuser user
privilege 15
!
#vtp
set vtp domain
set vtp mode transparent vlan
set vlan 5 rspan name VLAN0005 state active
set vlan 10 name VoIP type ethernet mtu 1500 said 100010 state active
set vlan 100 name Voice-VLAN type ethernet mtu 1500 said 100100 state active
set vlan 172 name DHCP-VLAN type ethernet mtu 1500 said 100172 state active
set vlan 500 rspan name VLAN0500 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state activ
e stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active st
p ibm
set vlan 1
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve mode srb aremaxhop 7 stemaxhop 7 backupcrf off
!
#ip
set interface sc0 1
set interface sl0 down
255.255.255.0 0.0.0.255
set interface me1 down
set ip route 0.0.0.0/0.0.0.0
set ip route 10.2.0.0/255.255.255.0
set ip alias default 0.0.0.0
!
#syslog
set logging console disable
!
#http configuration
set ip http server enable
!
#multicast filter
set igmp filter disable
!
#module 1 : 2-port 1000BaseX Supervisor
set module name 1 Catalyst4506
!
#module 2 : 48-port 10/100/1000 Ethernet
set module name 2 48-port Gig
set vlan 100 2/9,2/35
set port auxiliaryvlan 2/1 100
set port auxiliaryvlan 2/2 100
set port auxiliaryvlan 2/4 100
set port auxiliaryvlan 2/6 100
set port auxiliaryvlan 2/7 100
set port auxiliaryvlan 2/8 100
set port auxiliaryvlan 2/9 100
set port auxiliaryvlan 2/10 100
set port auxiliaryvlan 2/12 100
set port auxiliaryvlan 2/16 100
set port auxiliaryvlan 2/17 100
set port auxiliaryvlan 2/18 100
set port auxiliaryvlan 2/19 100
set port auxiliaryvlan 2/20 100
set port auxiliaryvlan 2/21 100
set port auxiliaryvlan 2/22 100
set port auxiliaryvlan 2/23 100
set port auxiliaryvlan 2/25 100
set port auxiliaryvlan 2/27 100
set port auxiliaryvlan 2/31 100
set port auxiliaryvlan 2/35 100
set port auxiliaryvlan 2/36 100
set port auxiliaryvlan 2/37 100
set port auxiliaryvlan 2/46 100
set trunk 2/2 auto dot1q 1-1005,1025-4094
set trunk 2/3 on dot1q 1-1005,1025-4094
set trunk 2/4 auto dot1q 1-1005,1025-4094
set trunk 2/6 auto dot1q 1-1005,1025-4094
set trunk 2/7 auto dot1q 1-1005,1025-4094
set trunk 2/8 auto dot1q 1-1005,1025-4094
set trunk 2/9 auto dot1q 1-1005,1025-4094
set trunk 2/10 auto dot1q 1-1005,1025-4094
set trunk 2/12 auto dot1q 1-1005,1025-4094
set trunk 2/16 auto dot1q 1-1005,1025-4094
set trunk 2/17 auto dot1q 1-1005,1025-4094
set trunk 2/18 auto dot1q 1-1005,1025-4094
set trunk 2/19 auto dot1q 1-1005,1025-4094
set trunk 2/20 auto dot1q 1-1005,1025-4094
set trunk 2/21 auto dot1q 1-1005,1025-4094
set trunk 2/22 auto dot1q 1-1005,1025-4094
set trunk 2/23 auto dot1q 1-1005,1025-4094
set trunk 2/25 auto dot1q 1-1005,1025-4094
set trunk 2/27 auto dot1q 1-1005,1025-4094
set trunk 2/35 auto dot1q 1-1005,1025-4094
set trunk 2/37 auto dot1q 1-1005,1025-4094
set trunk 2/46 auto dot1q 1-1005,1025-4094
!
#module 3 empty
!
#module 4 empty
!
#module 5 empty
!
#module 6 empty
!
#switch port analyzer
set rspan destination 2/1 5 inpkts disable learning enable create
end
!
!
#time: Mon Oct 27 2008, 09:05:24
!
#version 8.4(11)GLX
!
!
#system web interface version(s)
set password
set enablepass
set prompt 4506-Upstairs
set config mode text nvram
set banner motd ^C Welcome to the Catalyst 4506, DON'T SCREW ANYTHING UP!!!
Your's truly, Big-Brother. >
^C!
#dot1x
set feature dot1x-radius-keepalive disable
!
#system
set system name 4506-Upstairs
set system location Upstairs Data Room
set system contact
!
#frame distribution method
set port channel all distribution mac both
!
#snmp
set snmp rmon enable
set snmp chassis-alias Catalyst4506
!
#Local User
set localuser user
privilege 15
!
#vtp
set vtp domain
set vtp mode transparent vlan
set vlan 5 rspan name VLAN0005 state active
set vlan 10 name VoIP type ethernet mtu 1500 said 100010 state active
set vlan 100 name Voice-VLAN type ethernet mtu 1500 said 100100 state active
set vlan 172 name DHCP-VLAN type ethernet mtu 1500 said 100172 state active
set vlan 500 rspan name VLAN0500 state active
set vlan 1002 name fddi-default type fddi mtu 1500 said 101002 state active
set vlan 1004 name fddinet-default type fddinet mtu 1500 said 101004 state activ
e stp ieee
set vlan 1005 name trnet-default type trbrf mtu 1500 said 101005 state active st
p ibm
set vlan 1
set vlan 1003 name token-ring-default type trcrf mtu 1500 said 101003 state acti
ve mode srb aremaxhop 7 stemaxhop 7 backupcrf off
!
#ip
set interface sc0 1
set interface sl0 down
255.255.255.0 0.0.0.255
set interface me1 down
set ip route 0.0.0.0/0.0.0.0
set ip route 10.2.0.0/255.255.255.0
set ip alias default 0.0.0.0
!
#syslog
set logging console disable
!
#http configuration
set ip http server enable
!
#multicast filter
set igmp filter disable
!
#module 1 : 2-port 1000BaseX Supervisor
set module name 1 Catalyst4506
!
#module 2 : 48-port 10/100/1000 Ethernet
set module name 2 48-port Gig
set vlan 100 2/9,2/35
set port auxiliaryvlan 2/1 100
set port auxiliaryvlan 2/2 100
set port auxiliaryvlan 2/4 100
set port auxiliaryvlan 2/6 100
set port auxiliaryvlan 2/7 100
set port auxiliaryvlan 2/8 100
set port auxiliaryvlan 2/9 100
set port auxiliaryvlan 2/10 100
set port auxiliaryvlan 2/12 100
set port auxiliaryvlan 2/16 100
set port auxiliaryvlan 2/17 100
set port auxiliaryvlan 2/18 100
set port auxiliaryvlan 2/19 100
set port auxiliaryvlan 2/20 100
set port auxiliaryvlan 2/21 100
set port auxiliaryvlan 2/22 100
set port auxiliaryvlan 2/23 100
set port auxiliaryvlan 2/25 100
set port auxiliaryvlan 2/27 100
set port auxiliaryvlan 2/31 100
set port auxiliaryvlan 2/35 100
set port auxiliaryvlan 2/36 100
set port auxiliaryvlan 2/37 100
set port auxiliaryvlan 2/46 100
set trunk 2/2 auto dot1q 1-1005,1025-4094
set trunk 2/3 on dot1q 1-1005,1025-4094
set trunk 2/4 auto dot1q 1-1005,1025-4094
set trunk 2/6 auto dot1q 1-1005,1025-4094
set trunk 2/7 auto dot1q 1-1005,1025-4094
set trunk 2/8 auto dot1q 1-1005,1025-4094
set trunk 2/9 auto dot1q 1-1005,1025-4094
set trunk 2/10 auto dot1q 1-1005,1025-4094
set trunk 2/12 auto dot1q 1-1005,1025-4094
set trunk 2/16 auto dot1q 1-1005,1025-4094
set trunk 2/17 auto dot1q 1-1005,1025-4094
set trunk 2/18 auto dot1q 1-1005,1025-4094
set trunk 2/19 auto dot1q 1-1005,1025-4094
set trunk 2/20 auto dot1q 1-1005,1025-4094
set trunk 2/21 auto dot1q 1-1005,1025-4094
set trunk 2/22 auto dot1q 1-1005,1025-4094
set trunk 2/23 auto dot1q 1-1005,1025-4094
set trunk 2/25 auto dot1q 1-1005,1025-4094
set trunk 2/27 auto dot1q 1-1005,1025-4094
set trunk 2/35 auto dot1q 1-1005,1025-4094
set trunk 2/37 auto dot1q 1-1005,1025-4094
set trunk 2/46 auto dot1q 1-1005,1025-4094
!
#module 3 empty
!
#module 4 empty
!
#module 5 empty
!
#module 6 empty
!
#switch port analyzer
set rspan destination 2/1 5 inpkts disable learning enable create
end
as long as you have
there is no reason that you can't enable port-security. just do not configure the switchport as an actual trunk because then you can't run port-security (as you know). if all you want is to have the phone hanging off of this interface then leave the maximum set to 1. i don't know what voice solution you are running, but perhaps you could also disable the pc switchport on the phone.
I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
Code:
set port auxiliaryvlan mod/num <voice_vlan_id>I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
- Status
Similar threads
- Locked
- Question