topic Re: Port Security Command in Switches, Hubs, and Modems

Port Security Command

AAPP Toledo — Wed, 21 Apr 2010 11:23:10 GMT

Hi to All,

Anyone used/configured this command?

I need that ONLY 3 PC's reach a Printer. So...I configured this on my 5406zl but doesn't work:

AAPP-CPD1(eth-D17)# show port-security d17

Port Security

Port : D17
Learn Mode [Continuous] : Configured
Address Limit [1] : 4
Action [None] : Send Alarm

Authorized Addresses
--------------------
001372-763426 (PC)
001aa0-cf12be (PC)
00206b-c020c3
003005-c2d124 (PC)

Doesn't work 'cause not only the 3 MACs reach the Printer but all the people can reach the printer.

The problem can be that I include the Printer's MAC on the Port-Security command?

The printer is connected in the D17 port.

Thanks a lot in advance and greetings from Spain.

Mariano.

Re: Port Security Command

cenk sasmaztin — Wed, 21 Apr 2010 19:32:04 GMT

hi Mariano

port-security for connection security on switch or network
switch learn mac address or addresses on port and connect network

port-securtiy unable reachable or unreacable between host's

you need acl configuration

Re: Port Security Command

Ralf Krause — Fri, 23 Apr 2010 08:46:31 GMT

Hi Mariano,

I agree with Cenk; port-security definitively is the wrong feature to achiev the desired communication limitation.

I would consider either ACLs (as suggested by Cenk), or - if you want to do it on an OSI level below 3 - think about source-port filtering.

You will find ACL documentation at:
http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-10-ACLs.pdf

Source-port-filtering is described here:
http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-12-TrafficSecFilters.pdf

(With both links, I assume ProVision based switches [yl/zl series])

Regards,
Ralf

Re: Port Security Command

AAPP Toledo — Fri, 23 Apr 2010 09:18:55 GMT

Hi Cenk & Ralf,

Thanks for your answers.... but I've tried with ACLs but was impossible.... This is my ACL configured in a 5406zl:

10 permit ip 10.128.180.41 0.0.0.0 10.128.183.226 0.0.0.0
11 permit ip 10.128.180.105 0.0.0.0 10.128.183.226 0.0.0.0
20 permit ip 10.128.180.14 0.0.0.0 10.128.183.227 0.0.0.0
21 permit ip 10.128.180.12 0.0.0.0 10.128.183.227 0.0.0.0
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

And it was applied to the VLAN:

vlan 180
name "PCs Impresoras"
untagged B1-B17,B19-B24,C1-C12,D1,D3,D5,D7,D12-D13,D17
ip address 10.128.180.8 255.255.252.0
tagged Trk1-Trk5,Trk10
ip access-group "Firewall Impresoras" in
ip access-group "Firewall Impresoras" out
exit

What's wrong?

Many many thanks in advance for your answers & greetings from Madrid.

Mariano.

Re: Port Security Command

cenk sasmaztin — Fri, 23 Apr 2010 11:45:37 GMT

please send me sh run print your 5400 switch

Re: Port Security Command

AAPP Toledo — Fri, 23 Apr 2010 11:56:35 GMT

Hi Cenk,

Thanks a lot for your time and your patience. I send you a attached (TXT file) with the configuration of my 5406zl.

Thanks in advance.

Mariano.

Re: Port Security Command

AAPP Toledo — Wed, 28 Apr 2010 07:22:31 GMT

Hi Cenk...

Any news??

Thanks in advance...

Mariano.