Where's "mac-address-table secure" on newer Catalyst switches?

For the sake of context, you may assume that the mention of any VLAN
id in this discussion is maintained throughout the LAN in question. (We're
not dealing with a "private VLAN" or a VLAN maintained only on a subset of
switches on the LAN.)

We have a number of Catalyst 2900XL (EN) switches installed. One
command we make regular use of is...

# mac-address-table secure H.H.H fa0/N vlan V

When we specify this on one switch, the MAC address is essentially blocked
anywhere else on our LAN (for the given VLAN id). If this is set for a port
that isn't actually connected to anything on a single switch, the MAC address
is basically blocked everywhere on the LAN.

I just checked a Catalyst 3560G-48PS and a Catalyst 3750G-24TS. The
command line completion mechanism on both switches seems to imply the "secure"
form of the "mac-address-table" command is no longer available. (Both of these
newer switches are running "IPBASE-M" variants of IOS.) I also checked the
online command line reference for the newest version(s) of IOS for these
switches. Finally, I checked the online "Command Lookup Tool for Cisco IOS",
and it only says the "secure" form is available with Catalyst switches, but
doesn't qualify what models. The closest variant is...

# mac-address-table static H.H.H vlan V drop

Does this provide the same functionality as the "secure" form, or would it need
to be specified on each switch in the LAN to be effective when we want to drop
packets for a particular MAC address everywhere on the LAN? If we were to
set...

# mac-address-table static H.H.H vlan V interface INT

would this only allow the given MAC address on the port INT of the switch in
question, and block its use everywhere else on the LAN, as the "secure" form
did on the 2900XL series of switches?

Thanks,
Mike
--
| Systems Specialist: CBE,MSE
Michael T. Davis (Mike) | Departmental Networking/Computing
http://www.ecr6.ohio-state.edu/~davism/ | The Ohio State University
| 197 Watts, (614) 292-6928
** E-mail is the best way to contact me **
.

Relevant Pages

  • Re: Different terms for the same or more secure?
    ... Could someone define each for me and the list and also why one is more secure than the other. ... One definition of "subnet" is that it is a contiguous block of host addresses. ... a LAN, ... So what does a VLAN do that a subnet doesn't and why is one better than the other? ...
    (Security-Basics)
  • Re: Wheres "mac-address-table secure" on newer Catalyst switches?
    ... switchport port-security mac-address aaaa.bbbb.cccc ... id in this discussion is maintained throughout the LAN in question. ... not dealing with a "private VLAN" or a VLAN maintained only on a subset of ... We have a number of Catalyst 2900XL switches installed. ...
    (comp.dcom.sys.cisco)
  • Re: Is VLAN still secure ?
    ... > secure as on different switches fpr diferent Networks. ... > build a DMZ on one Switch with an DMZ VLAN and a Secure VLAN. ... Vlan's are not a security option. ...
    (comp.security.firewalls)
  • Re: Configuring Cisco IPS High Bandwidth Using EtherChannel Load Balancing
    ... VLAN Pair mode uses one interface only and this is the only supported ... The ECLB feature allows you to load balance upto eight Cisco IPS ... All ports will be part of the same etherchannel ... All servers are connected to the backbone switches via another ...
    (Focus-IDS)
  • Re: MAC-based Ethernet VLANs
    ... Ethernet VLANs using Cisco 2900-series switches running IOS 12.1. ... to a VLAN with unrestricted network connectivity, ... get tagged as VLAN 10 upon ingress, if the source MAC address matches ...
    (comp.dcom.sys.cisco)