Dynamicly building a mac address table for a certain port on a switch.

Discussion in 'Networking, Telephony & Internet' started by ausghostdog, Aug 19, 2013.

  1. ausghostdog

    ausghostdog Member

    Joined:
    Feb 7, 2010
    Messages:
    2,150
    Hey all,

    Firstly before anyone starts ranting this is homework, I've already solved a way to do it. I'm simply looking for help on other ways it is possible.

    [​IMG]

    That's the network I am working with.

    The question was, to get the three severs to access port 12 on switch 5 only. Also setting up port security.

    Now, nothing in the network has an ip address, the stp is all default setting and everything is running of mac address.

    The way I solved the issue was,

    1. Setup port security on switch five
    Code:
    Switch>enable
    Switch#config t
    Enter configuration commands, one per line.  End with CNTL/Z.
    Switch(config)#
    Switch(config)#interface fastethernet 0/12
    Switch(config-if)#switchport port-security
    Switch(config-if)#switchport mode access
    Switch(config-if)#switchport port-security
    Switch(config-if)#switchport port-security maximum 4
    Switch(config-if)#switchport port-security mac-address sticky
    Switch(config-if)#switchport port-security violation protect
    Switch(config-if)#end
    
    2. I then removed the link between switch 2 and switch 5

    3. I then issued each server an ip address and subnet mask

    4. connected each server to switch 5 port 12

    5. got the mac address on the port and confirmed with show
    Code:
    Switch#show running-config
    
    interface FastEthernet0/12
     switchport mode access
     switchport port-security
     switchport port-security maximum 4
     switchport port-security mac-address sticky 
     switchport port-security violation protect 
     switchport port-security mac-address sticky 000C.85A1.96AB
     switchport port-security mac-address sticky 000C.CFE0.BEDD
     switchport port-security mac-address sticky 0050.0FB2.6E0F
     switchport port-security mac-address sticky 0060.3E9B.AB2D
    
    6. Then I added the link back between switch 2 and switch 5.

    Is there anyway in order to do this with out giving ip address to servers and not changing the topology at all?

    Once again I have already compleated the question, I just want to know if it can be done easier.

    Now I could do it staticly from the switch it self using

    Code:
    switch(config)#mac-address-table static mac address here vlan # interface fastethernet #
    but I'm trying dynamicly to get the switch port to learn the mac address,given the lack of ips I can not just ping the server or port.

    before any one else says anything

    Not allowed to change stp settings, vlan settings
     
    Last edited: Aug 19, 2013
  2. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    "The question was, to get the three severs to access port 12 on switch 5 only. Also setting up port security.'

    What is port 12(diagram has no port numbers) and access how? transit that port? Be able to access it?


    As i stated before, putting port security on trunks is poor practice and will break more then its fixes.
     
  3. OP
    OP
    ausghostdog

    ausghostdog Member

    Joined:
    Feb 7, 2010
    Messages:
    2,150
    Port 12 is the switch 5 side of the switch 2-5 link, port 12 the connected side. The mac address have to be in the address table for it. As I said I can not stimply manually add them, the switch has to learn them, sadly with mac address alone there is no packets traversing the links for the switch to learn it,.
     
    Last edited: Aug 19, 2013
  4. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    Ok well the best way would be to change the spanning setup to make traffic go the otherway.

    The way you did it was not how one manages traffic in a real network.
     
  5. OP
    OP
    ausghostdog

    ausghostdog Member

    Joined:
    Feb 7, 2010
    Messages:
    2,150
    Not allowed to chage the setup. I have to work with what I have been given. I agree there would be a lot better ways in oder to set this up but this is what I have been given and I need to work with it.

    So is there any way to do it other than the way I did or that it?

    Edit,

    So just come across ACL
     
    Last edited: Aug 19, 2013
  6. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    So what are you allowed to do? Changing stp is no any different to applying a port-sec map
     
  7. Heywood

    Heywood Member

    Joined:
    Dec 25, 2001
    Messages:
    457
    Assuming everything is just in a single VLAN, modifying the STP costs would probably be the best way forward, because under normal operation it would be as you describe as the desirable behaviour but you still have alternate pathways in the event of a failure.

    Alternatively if it's using multiple VLANs, you could prune the Server VLANs from the interswitch trunks you don't want to use - you lose resiliency in the event of a failure though
     
  8. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    Give him ideas not answers :p
     
  9. OP
    OP
    ausghostdog

    ausghostdog Member

    Joined:
    Feb 7, 2010
    Messages:
    2,150
    Not allowed to modify the costs of the stp or change the vlans
     
  10. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    ACL's wont help as going of the diagram the far port is blocking in stp so you wont be able to populate the cam table with traffic from that port.
     
  11. OP
    OP
    ausghostdog

    ausghostdog Member

    Joined:
    Feb 7, 2010
    Messages:
    2,150
    I guess I found the only way to do it then .
     
  12. Heywood

    Heywood Member

    Joined:
    Dec 25, 2001
    Messages:
    457
    Hmm maybe cause the cam table to blackhole the macs of the servers on the switches you don't want to see the traffic pass through?

    mac address-table static <mac-address> vlan <vlan-id> drop
     
  13. OP
    OP
    ausghostdog

    ausghostdog Member

    Joined:
    Feb 7, 2010
    Messages:
    2,150
    has to be dynamic, I can not manually add them
     
  14. Heywood

    Heywood Member

    Joined:
    Dec 25, 2001
    Messages:
    457
    A fully dynamic solution - I guess one way would be using QoS On Switch 2

    On ingress from the server facing ports set the cos value of incoming frames to 1 (assuming no other traffic of interest uses that marking)

    On egress on the interfaces facing Switch 4 drop all traffic with cos 1

    I'll leave the specific configuration as an exercise for the reader
     
  15. OP
    OP
    ausghostdog

    ausghostdog Member

    Joined:
    Feb 7, 2010
    Messages:
    2,150
    Ok, just got an email back from my uni prof, we are allowedto add ip address to the systems, so I'm just doing that.

    Thanks all, It just seemed well out side of the scope of what we had learned to what they wanted us to do.
     
  16. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    Lol that changes everything.


    The port-sec/qos options are not somthing people should be taught anyway :p
     
  17. whitewolfx

    whitewolfx Member

    Joined:
    Sep 26, 2012
    Messages:
    214
    Sometimes i wonder if people create ambiguous or poorly worded questions just for the sake of making their students dig around and learn more than they should. Makes students learn why doing things certain ways is better and in which situations it would be better in. Tis a very effective way of getting people to use their brain.

    Or maybe i'm giving them too much credit and your prof's are just really sick and tired of you asking too many questions and they want to get back to their bottle of whisky.
     
  18. OP
    OP
    ausghostdog

    ausghostdog Member

    Joined:
    Feb 7, 2010
    Messages:
    2,150
    Yeah, we have done port-sec but only with ip address and and manually adding the mac address, but when the system had no ip address and only mac address and it want dynamic learning. I was stumped. I messaged him and there was no issue with using ip address, to be honest the system should have had ip address to start with.
     
  19. FiShy

    FiShy Member

    Joined:
    Aug 15, 2001
    Messages:
    9,682
    Most questions are poorly worded to ensure an amount of failure in exams.

    Need to keep the numbers ticking over.
     
  20. OP
    OP
    ausghostdog

    ausghostdog Member

    Joined:
    Feb 7, 2010
    Messages:
    2,150
    I do not want help with this question, this is simply to point out what FiShy is saying
    [​IMG]
     

Share This Page

Advertisement: