Task 7.4

Somebody clarify for me why do not we use port-security here too as we did on task 7.3





  • Hi,

       Even i am not completely sure. But after reading docs and trying to make sense out of the IE version of the answer here is what i think. Port security is more of an access control mechanism. You restrict the number of MAC's and MAC's seen on a switchport and set violation policy. The docs say that the MAC configured on one secure port should not be seen on another port in the *same VLAN*. which would mean the MAC could be learned off another port in another VLAN! Refer Section "Security Violations; pg 22-8" of 3550 multilayer switch configuration guide

       'mac-address-table static' though not a access control mechanism like port security, it can affect forwarding decision because of enteries made in the mac-address table.

        the question requires that the mac address be seen only on one particular port and no where else. with port security we would have ensured that the mac has access to a the mentioned port (fa0/22) in a particular VLAN. The MAC could theoretically show up on another port in another VLAN depending on the configs there. However if we use the mac-address-table static command we make a static entry for the MAC address and the respective port and vlan, and this MAC can not be learned from any other port.

    Note: this is my attempt to make sense out of the answer and what i read in the docs. Probably in the end i might sound like

    "its spherical, its almost the same size, its edible, it grows on trees so orange == apple :) "


Sign In or Register to comment.