VLAN port-security and VLAN routing

Post Reply
jimdawire
Member
Posts: 2
Joined: 28 Oct 2019 22:42

VLAN port-security and VLAN routing

Post by jimdawire » 29 Oct 2019 00:22

Hi all,
I inherited a 6450 stack and am finding odd behavior with VLANS not working as expected.

I have a Gateway router (Unifi USG Pro) and a Unifi Switch plugged into a 6450 port with:

Mobility Disabled with a default VLAN50.

I see the below Vlan rules are setup, but don't quite get how the manual explains how they work
Q1:Are these stating that ONLY these macs are allowed?

Code: Select all

VLAN Rules			
Rule Type 	VLAN 	VLAN Description 	MAC Address 
MAC Address Rule	40	mngtn	        xx:xx:xx:xx:xx:xx
MAC Address Rule	50	Corporate 	xx:xx:xx:xx:xx:xx
Q2:Does this port-security only allow the single mac?

Code: Select all

COR_SW_A --> show port-security
Legend: Mac Address: * = Duplicate Static
        Mac Address: # = Pseudo Static

Port:  4/47
 Operation Mode   :                ENABLED,
 Max MAC bridged  :                      1,
 Trap Threshold   :               DISABLED,
 Max MAC filtered :                      5,
 Low MAC Range    :      00:00:00:00:00:00,
 High MAC Range   :      ff:ff:ff:ff:ff:ff,
 Violation        :               RESTRICT,
 Violating MAC    :                   NULL

 MAC Address        VLAN   TYPE
Q3: I can use the port packet capture feature (from the gui) to view in Wireshark, is that the best method to see switch behavior?

Q4 Do I have it correct that for multiple VLANS they also need a static ip interface on the switch?
The manual states:
A VLAN is available for routing when at least one router
interface is defined for that VLAN and at least one active port is associated with the VLAN.

silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 1381
Joined: 01 Jul 2008 10:51
Location: Germany

Re: VLAN port-security and VLAN routing

Post by silvio » 01 Nov 2019 01:46

Hi,
Q1: no. This vlan-rules are responsible for association this specific mac to the vlan 40 or 50 at mobile ports. All incomming packets with an other mac will allocate to the default vlan of the port.

Q2: yes. only one mac at the same time is allowed.
Q3: I first prefere to use show commands (cli) to find the reason. For more deeper troubleshooting you can use port mirroring/monitoring with wireshark.
Q4: depends from the design. If the switch is a L2 switch than no ip interface is necessary. But if the switch acts as router/gateway than you nee ip interfaces per vlan for routing between the networks.
regards
Silvio

jimdawire
Member
Posts: 2
Joined: 28 Oct 2019 22:42

Re: VLAN port-security and VLAN routing

Post by jimdawire » 07 Nov 2019 16:33

thanks mate!

Q2: in my example - at the bottom - there is no mac address listed.
Does this still mean only 1 mac at a time?
If so why would that port allow access too the whole network? (vlans dont work tho)

thanks!

silvio
Alcatel Unleashed Certified Guru
Alcatel Unleashed Certified Guru
Posts: 1381
Joined: 01 Jul 2008 10:51
Location: Germany

Re: VLAN port-security and VLAN routing

Post by silvio » 08 Nov 2019 11:00

Hi,
not directly.
this is the important line:
Max MAC bridged : 1
at the bottom you see the actual learned addresses.
regards
Silvio

Post Reply

Return to “OmniSwitch 6450”