Re: Where's "mac-address-table secure" on newer Catalyst switches?

In article <4A9DA309.1000908@xxxxxxxxxxxxxx>, Tom Lowry <tlowry@xxxxxxxxxxxxxx

Look at 'port security' options for the 3560:

interface GigabitEthernet0/4
switchport mode access
switchport port-security
switchport port-security violation restrict
switchport port-security mac-address aaaa.bbbb.cccc

There are two mechanisms I need to be able to employ:

1) Arbitrarily block a MAC address everywhere on the LAN on a given VLAN

2) Only allow a MAC address on a specific port assigned to a given VLAN on
the LAN

Port security only helps in either case if all the ports for a given VLAN are
set as secure. Since many of our systems need to be moved from room to room
or are laptops (which are mobile by nature), we can't do that. In the version
of IOS that worked on the Catalyst 2900XL series, you could define a MAC
address as secure and assign it to a port/VLAN, but the port itself didn't
need to be secure. If that MAC address appeared on the port, it would be
allowed to pass traffic, but if the MAC address appeared anywhere else on the
LAN in the same VLAN, regardless of port security on the port to which it was
attached, access from that MAC address would be blocked. This is the behavior
I'm seeking on the newer Catalyst switches (3560 and/or 3750) but which has
apparently been dropped. I'm happy to be corrected, however.

On 8/31/2009 3:39 PM, Michael T. Davis wrote:
For the sake of context, you may assume that the mention of any VLAN
id in this discussion is maintained throughout the LAN in question. (We're
not dealing with a "private VLAN" or a VLAN maintained only on a subset of
switches on the LAN.)

We have a number of Catalyst 2900XL (EN) switches installed. One
command we make regular use of is...

# mac-address-table secure H.H.H fa0/N vlan V

When we specify this on one switch, the MAC address is essentially blocked
anywhere else on our LAN (for the given VLAN id). If this is set for a port
that isn't actually connected to anything on a single switch, the MAC
is basically blocked everywhere on the LAN.

I just checked a Catalyst 3560G-48PS and a Catalyst 3750G-24TS. The
command line completion mechanism on both switches seems to imply the
form of the "mac-address-table" command is no longer available. (Both of
newer switches are running "IPBASE-M" variants of IOS.) I also checked the
online command line reference for the newest version(s) of IOS for these
switches. Finally, I checked the online "Command Lookup Tool for Cisco
and it only says the "secure" form is available with Catalyst switches, but
doesn't qualify what models. The closest variant is...

# mac-address-table static H.H.H vlan V drop

Does this provide the same functionality as the "secure" form, or would it
to be specified on each switch in the LAN to be effective when we want to
packets for a particular MAC address everywhere on the LAN? If we were to

# mac-address-table static H.H.H vlan V interface INT

would this only allow the given MAC address on the port INT of the switch in
question, and block its use everywhere else on the LAN, as the "secure" form
did on the 2900XL series of switches?

| Systems Specialist: CBE,MSE
Michael T. Davis (Mike) | Departmental Networking/Computing | The Ohio State University
| 197 Watts, (614) 292-6928
** E-mail is the best way to contact me **