Mac Move; Mac Replace - Cisco Catalyst 2960-X Security Configuration Manual

Configuring IEEE 802.1x Port-Based Authentication
• IPv4 ARPs: Hosts receive ARP packets from other subnets. This is a problem if two subnets in different
• IPv6 control packets: In IPv6 deployments, Router Advertisements (RA) are processed by hosts that
• IP multicast: Multicast traffic destined to a multicast group gets replicated for different VLANs if the

MAC Move

When a MAC address is authenticated on one switch port, that address is not allowed on another authentication
manager-enabled port of the switch. If the switch detects that same MAC address on another authentication
manager-enabled port, the address is not allowed.
There are situations where a MAC address might need to move from one port to another on the same switch.
For example, when there is another device (for example a hub or an IP phone) between an authenticated host
and a switch port, you might want to disconnect the host from the device and connect it directly to another
port on the same switch.
You can globally enable MAC move so the device is reauthenticated on the new port. When a host moves to
a second port, the session on the first port is deleted, and the host is reauthenticated on the new port. MAC
move is supported on all host modes. (The authenticated host can move to any port on the switch, no matter
which host mode is enabled on the that port.) When a MAC address moves from one port to another, the
switch terminates the authenticated session on the original port and initiates a new authentication sequence
on the new port. The MAC move feature applies to both voice and data hosts.
In open authentication mode, a MAC address is immediately moved from the original port to the new
Note
port, with no requirement for authorization on the new port.

MAC Replace

The MAC replace feature can be configured to address the violation that occurs when a host attempts to
connect to a port where another host was previously authenticated.
Note This feature does not apply to ports in multi-auth mode, because violations are not triggered in that mode.
It does not apply to ports in multiple host mode, because in that mode, only the first host requires
authentication.
OL-29048-01
Virtual Routing and Forwarding (VRF) tables with overlapping IP address range are active on the port.
The host ARP cache may get invalid entries.
are not supposed to receive them. When a host from one VLAN receives RA from a different VLAN,
the host assign incorrect IPv6 address to itself. Such a host is unable to get access to the network.
The workaround is to enable the IPv6 first hop security so that the broadcast ICMPv6 packets are
converted to unicast and sent out from multi-auth enabled ports.. The packet is replicated for each client
in multi-auth port belonging to the VLAN and the destination MAC is set to an individual client. Ports
having one VLAN, ICMPv6 packets broadcast normally.
hosts on those VLANs join the multicast group. When two hosts in different VLANs join a multicast
group (on the same mutli-auth port), two copies of each multicast packet are sent out from that port.
Catalyst 2960-X Switch Security Configuration Guide, Cisco IOS Release 15.0(2)EX
MAC Move
275