How to lock the specified MAC address on the port? (port security + network-access mac-filter)

Steven_zhangCreated at:Dec 11, 2019 11:25:06Updated at:Dec 11, 2019 11:25:09

The following is the example on ES3510MA.

 

Exception: allow port 1 to learn only the MAC addresses specified in the mac-filter.

 

Topology:

mceclip0.png

 

Here's the configuration:

 

Setting "network-access mac-filter"

Console(config)#network-access mac-filter 2 mac-address 00-E0-4C-68-01-5A

Console(config)#network-access mac-filter 2 mac-address B8-AE-ED-BB-08-6F

 

Console(config)#interface ethernet 1/1

Console(config-if)#port security   //"enable port security"

Console(config-if)#port security max-mac-count 3   //"allow port 1 could learn three MAC-Address"

Console(config-if)#network-access port-mac-filter 2   //"MAC-Address-Table only learn MAC-Address which I setting."

 

Result:

Check MAC-address-table.

mceclip1.png

Check port security.

mceclip2.png

Ping from switch to PC1, PC2, PC3.

mceclip3.png

mceclip4.png

mceclip5.png

Capture the packet from PC3.

PC3 could receive ARP Request packet from switch, and reply ARP Reply to switch.

Since I set the mac-filter on the switch, that's why switch didn't learn the PC3's MAC, and ping failed.

mceclip6.png

 


    Hot articles