Jon Marshall Wed, 12/19/2007 - 04:46
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


You need to look at port security on your switch. You don't say what type of switch and whether it is running CatOS or IOS.


Assuming it is IOS attached is the config guide for port security on a 3560 switch. The commands will be similiar for most IOS switches.


http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swtrafc.html#wp1038501


HTH


Jon

gopinath.krishn... Wed, 12/19/2007 - 04:59
User Badges:

Hi jon,


Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)SEE2, RELE

ASE SOFTWARE (fc1).


From the document am able to understand that we can configure switch port security with provided commands.


switchport port-security mac-address 1000.2000.3000

or


switchport port-security mac-address sticky


now my concern has i have more than 100 switches at almost 10 locations i.e almost 1000 switches... now i need to configure port security on all these switches in such a way that mac address of host connected to a switch port is bound to that. Configuring this on 1000 switches is not a easy job... i dont have a cisco works or any other NMS to even configure through snmp... can u suggest any work around for this


1. Need to first collect the mac address of all the host

2.then map that mac address to that specific port


what would u suggest me to do the above two for almost 1000 2960 switches

Jon Marshall Wed, 12/19/2007 - 05:09
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

It all depends on how secure you need it to be. If you are happy with only allowing one mac-address on the port at any one time then you can apply a switch wide config that will achieve that with port security without having to know everybody's mac-address.


If your security requirements are greater than this you may want to look into 802.1x authentication with a AAA server which would allow you to allocate users to vlans based on their identity and then you can give different access rights to the vlan.


Jon

bvsnarayana03 Wed, 12/19/2007 - 05:14
User Badges:
  • Silver, 250 points or more

In that case, you shouldnt be bothere about finding the mac-addresses. use the sticky option. with this you make the port to bind the mac of the 1st machine that is connected after the port security is applied. Remember to allow 2 mac add on ports where voip phones are connected.


Other than that, i dont see any workaround to configure ports in bulk if you dont have such tool. It may take time manually, but thats 1 time work. Do schedule the changes in phases, so that in case of problem its limited to specific switches & you have breathing time to troubleshoot. Also based on the experience of 1st phase, you may further.

gopinath.krishn... Wed, 12/19/2007 - 23:07
User Badges:

Hi


i have planned to do this


1.enable switch port security on the switch ports and allow 3 mac address

2.statically add the mac address of the pc & voip phone through switch port security mac address command


so now two mac address are added statically and third mac will be learned dynamically.


can we use the aging time only for the dynamically learned mac addressess?

gopinath.krishn... Wed, 12/19/2007 - 23:29
User Badges:

Hi


i have planned to do this


1.enable switch port security on the switch ports and allow 3 mac address

2.statically add the mac address of the pc & voip phone through switch port security mac address command


so now two mac address are added statically and third mac will be learned dynamically.


can we use the aging time only for the dynamically learned mac addressess?




Actions

This Discussion