Switches, Hubs, and Modems
Showing results for 
Search instead for 
Did you mean: 

Port Lockdown to 1 MAC

Go to solution
Tony Barrett_2
Frequent Advisor

Port Lockdown to 1 MAC

I want to enforce our 2600 series switch's to only allow 1 MAC address per port. I don't mind what this MAC address is, but I don't want it to allow a second MAC to be learnt.

I've looked at the manuals, and I can nominate a single MAC to a port, or restrict an IP subnet to a switch port, but I can't obviously see a way to say 'only allow one MAC address on this port'. I don't mind if this is a global switch setting.

The idea behind this being to stop users plugging in hubs and sharing ports!

Matt Hobbs
Honored Contributor

Re: Port Lockdown to 1 MAC

Hi Tony,

I believe this should do what you're after:

2600(config)#port-security learn-mode limited-continuous address-limit 1

The only problem is when you get someone who plugs in a router that does NAT, as it will still appear as only the one mac-address...

Les Ligetfalvy
Esteemed Contributor

Re: Port Lockdown to 1 MAC

Those nasty consumer DSL routers... they make it so easy to clone MAC too. I am always vigilant of MAC OUI but when they clone the MAC of their accepted PC, it gets harder to catch them.
Tony Barrett_2
Frequent Advisor

Re: Port Lockdown to 1 MAC

Thanks for the prompt reply Matt, and sorry for not getting back to you sooner. Guess I was looking in the wrong place in the manual.

Your suggestion I think will enforce what I need, but I forgot to mention I want to use this 'single MAC per port' option with 802.1x authentication, which seems to cause a problem.

If I enter the suggested command with 802.1x auth enabled on the same port (e.g. 1), then I get the following error;

2600(config)# address-limit: Not allowed in current learn mode

I've tried using the following which works;

2600(config)# port-security 1 learn-mode port-access action send-alarm

2600(config)# sh port-security

Port Learn-Mode Action
1 Port-Access (802.1x) Send Alarm

But I'm pretty sure this config will only notify with SNMP trap if there is a detected security breach. It won't restrict learning to a single MAC.