Re: Port Security Command

AAPP Toledo · ‎04-21-2010

Hi to All,

Anyone used/configured this command?

I need that ONLY 3 PC's reach a Printer. So...I configured this on my 5406zl but doesn't work:

AAPP-CPD1(eth-D17)# show port-security d17

Port Security

Port : D17
Learn Mode [Continuous] : Configured
Address Limit [1] : 4
Action [None] : Send Alarm

Authorized Addresses
--------------------
001372-763426 (PC)
001aa0-cf12be (PC)
00206b-c020c3
003005-c2d124 (PC)

Doesn't work 'cause not only the 3 MACs reach the Printer but all the people can reach the printer.

The problem can be that I include the Printer's MAC on the Port-Security command?

The printer is connected in the D17 port.

Thanks a lot in advance and greetings from Spain.

Mariano.

cenk sasmaztin · ‎04-21-2010

hi Mariano

port-security for connection security on switch or network
switch learn mac address or addresses on port and connect network

port-securtiy unable reachable or unreacable between host's

you need acl configuration

cenk

Ralf Krause · ‎04-23-2010

Hi Mariano,

I agree with Cenk; port-security definitively is the wrong feature to achiev the desired communication limitation.

I would consider either ACLs (as suggested by Cenk), or - if you want to do it on an OSI level below 3 - think about source-port filtering.

You will find ACL documentation at:
http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-10-ACLs.pdf

Source-port-filtering is described here:
http://cdn.procurve.com/training/Manuals/3500-5400-6200-6600-8200-ASG-Mar10-12-TrafficSecFilters.pdf

(With both links, I assume ProVision based switches [yl/zl series])

Regards,
Ralf

AAPP Toledo · ‎04-23-2010

Hi Cenk & Ralf,

Thanks for your answers.... but I've tried with ACLs but was impossible.... This is my ACL configured in a 5406zl:

10 permit ip 10.128.180.41 0.0.0.0 10.128.183.226 0.0.0.0
11 permit ip 10.128.180.105 0.0.0.0 10.128.183.226 0.0.0.0
20 permit ip 10.128.180.14 0.0.0.0 10.128.183.227 0.0.0.0
21 permit ip 10.128.180.12 0.0.0.0 10.128.183.227 0.0.0.0
40 permit ip 0.0.0.0 255.255.255.255 0.0.0.0 255.255.255.255

And it was applied to the VLAN:

vlan 180
name "PCs Impresoras"
untagged B1-B17,B19-B24,C1-C12,D1,D3,D5,D7,D12-D13,D17
ip address 10.128.180.8 255.255.252.0
tagged Trk1-Trk5,Trk10
ip access-group "Firewall Impresoras" in
ip access-group "Firewall Impresoras" out
exit

What's wrong?

Many many thanks in advance for your answers & greetings from Madrid.

Mariano.

cenk sasmaztin · ‎04-23-2010

please send me sh run print your 5400 switch

cenk

AAPP Toledo · ‎04-23-2010

Hi Cenk,

Thanks a lot for your time and your patience. I send you a attached (TXT file) with the configuration of my 5406zl.

Thanks in advance.

Mariano.

AAPP Toledo · ‎04-28-2010

Hi Cenk...

Any news??

Thanks in advance...

Mariano.

Categories

Company

Local Language

Forums

Discussions

Forums

Discussions

Discussions

Forums

Discussions

Forums

Discussions

Forums

Forums

Discussions

Forums

Discussions

Forums

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Discussion Boards

Community

Resources

Other HPE Sites

Discussions

Forums

Blogs

Re: Port Security Command

Port Security Command