I have a switch that is in a relatively public place that 5 users must access. Using port security, I would like to configure 5 ports that any of the 5 users can access, but with a static (not learned) table. In other words, I want to enter the same 5 MAC addresses on 5 ports. However, when I try to enter the MACs on the second port, the attempt fails with a line of "Couldn't add MAC address" on the command line. I get a similar message with the GUI, but I can't remember the exact wording. The result is it fails. Should I be able to do this, and where am I going wrong, if so?
I just tested in the lab and I get the same error. I will investigate and raise to the appropriate team, internally. This is not the correct behaviour!
In the meantime, you can make an ACL to accomplish the same thing. Below is how you do it, from the CLI. - Replace the mac addresses with the real mac addresses that you want to allow, of course 🙂 - I have bound the ACL on 5 ports here, port 1-5. You need to adjust to whatever ports you use.
- What this ACL will do is block all traffic on those port, unless the traffic comes from a mac address in the list.
- The mac mask of 00:00:00:00:00:00 you must use for each entry. It means only this mac addr.
(M5300-52G) >enable (M5300-52G) #configure (M5300-52G) (Config)#mac access-list extended mac-acl (M5300-52G) (Config-mac-access-list)#permit AA:AA:AA:AA:AA:AA 00:00:00:00:00:00 any (M5300-52G) (Config-mac-access-list)#permit BB:BB:BB:BB:BB:BB 00:00:00:00:00:00 any (M5300-52G) (Config-mac-access-list)#permit CC:CC:CC:CC:CC:CC 00:00:00:00:00:00 any (M5300-52G) (Config-mac-access-list)#permit EE:EE:EE:EE:EE:EE 00:00:00:00:00:00 any (M5300-52G) (Config-mac-access-list)#permit EF:EF:EF:EF:EF:EF 00:00:00:00:00:00 any (M5300-52G) (Config-mac-access-list)#exit (M5300-52G) (Config)#interface 1/0/1-1/0/5 (M5300-52G) (Interface 1/0/1-1/0/5)#mac access-group mac-acl in 1 (M5300-52G) (Interface 1/0/1-1/0/5)#end
