Mailing List Archive

On Saturday, August 23, 2003 1:57 AM, john heasley <heas at shrubbery.net>
wrote:
> Fri, Aug 15, 2003 at 06:08:02PM +0200, Nipper, Arnold:
>> John,
>>
>> thanks for the help. Actually I guess the patch provided by Anchi did the
>> trick. No complaints since. While we are at it ... We are running port
>> security on the CatOS switches and the actual MAC entries are stored in
the
>> config files. As MACs are changing frequently we get a lot of mails with
>> just the MAC entries having changed. I would like to suppress changes for
>>
>> - set port security 4/48 x-x-x-x-x-x
>> set port security 4/48 y-y-y-y-y-y
>> + set port security 4/48 z-z-z-z-z-z
>>
>> Is there a simple trick to do so?
>
> I have never used this stuff. If it learns these MACs completely
dynamically,
> then cat5rancid should filter them. from the docs, it seems that it is
also
> possible to configure static MACs, which we should not filter. what is
the
> difference between the config syntax?

Actually configuration is done via

set port security 3/1 enable age 10 maximum 1 shutdown 0 violation restrict

That means: allow 1 MAC address on port 3/1 and forget about it if there is
no traffic for 10 minutes. If you see traffic from another MAC silently
ignore. Hence MACs are learnt dynamically which makes replacements much
easier. Though all MAC addresses currently known on port-security-enabled
ports show up as static entries in the config.


Arnold

Sat, Aug 23, 2003 at 02:10:40AM +0200, Nipper, Arnold:
> >> - set port security 4/48 x-x-x-x-x-x
> >> set port security 4/48 y-y-y-y-y-y
> >> + set port security 4/48 z-z-z-z-z-z
> >>
> >> Is there a simple trick to do so?
> >
> > I have never used this stuff. If it learns these MACs completely
> dynamically,
> > then cat5rancid should filter them. from the docs, it seems that it is
> also
> > possible to configure static MACs, which we should not filter. what is
> the
> > difference between the config syntax?
>
> Actually configuration is done via
>
> set port security 3/1 enable age 10 maximum 1 shutdown 0 violation restrict
>
> That means: allow 1 MAC address on port 3/1 and forget about it if there is
> no traffic for 10 minutes. If you see traffic from another MAC silently
> ignore. Hence MACs are learnt dynamically which makes replacements much
> easier. Though all MAC addresses currently known on port-security-enabled
> ports show up as static entries in the config.

the following should filter them. please let me know if that works.
thanks!

Index: cat5rancid.in
===================================================================
RCS file: /home/rancid/.CVS/rancid/bin/cat5rancid.in,v
retrieving revision 1.29
diff -c -r1.29 cat5rancid.in
*** cat5rancid.in 23 Aug 2003 18:18:10 -0000 1.29
--- cat5rancid.in 23 Aug 2003 18:21:33 -0000
***************
*** 865,870 ****
--- 865,871 ----
next;
}
/fair-queue individual-limit/ && next;
+ /^ set port security \d+\/\d+ \S+-\S+\-/ && next;
# sort ip explicit-paths.
if (/^ip explicit-path name (\S+)/) {
my($key) = $1;

On Saturday, August 23, 2003 8:25 PM, john heasley <heas at shrubbery.net>
wrote:
>> the following should filter them. please let me know if that works.
> thanks!
>

Thanks! Works great :-))


Arnold