switch port security

gopinath.krishna · ‎12-19-2007

how to bind a host mac address to a specific switch port

Jon Marshall · ‎12-19-2007

Hi

You need to look at port security on your switch. You don't say what type of switch and whether it is running CatOS or IOS.

Assuming it is IOS attached is the config guide for port security on a 3560 switch. The commands will be similiar for most IOS switches.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_25_see/configuration/guide/swtrafc.html#wp1038501

HTH

Jon

gopinath.krishna · ‎12-19-2007

Hi jon,

Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)SEE2, RELE

ASE SOFTWARE (fc1).

From the document am able to understand that we can configure switch port security with provided commands.

switchport port-security mac-address 1000.2000.3000

or

switchport port-security mac-address sticky

now my concern has i have more than 100 switches at almost 10 locations i.e almost 1000 switches... now i need to configure port security on all these switches in such a way that mac address of host connected to a switch port is bound to that. Configuring this on 1000 switches is not a easy job... i dont have a cisco works or any other NMS to even configure through snmp... can u suggest any work around for this

1. Need to first collect the mac address of all the host

2.then map that mac address to that specific port

what would u suggest me to do the above two for almost 1000 2960 switches

Jon Marshall · ‎12-19-2007

It all depends on how secure you need it to be. If you are happy with only allowing one mac-address on the port at any one time then you can apply a switch wide config that will achieve that with port security without having to know everybody's mac-address.

If your security requirements are greater than this you may want to look into 802.1x authentication with a AAA server which would allow you to allocate users to vlans based on their identity and then you can give different access rights to the vlan.

Jon

bvsnarayana03 · ‎12-19-2007

In that case, you shouldnt be bothere about finding the mac-addresses. use the sticky option. with this you make the port to bind the mac of the 1st machine that is connected after the port security is applied. Remember to allow 2 mac add on ports where voip phones are connected.

Other than that, i dont see any workaround to configure ports in bulk if you dont have such tool. It may take time manually, but thats 1 time work. Do schedule the changes in phases, so that in case of problem its limited to specific switches & you have breathing time to troubleshoot. Also based on the experience of 1st phase, you may further.

gopinath.krishna · ‎12-19-2007

Hi

i have planned to do this

1.enable switch port security on the switch ports and allow 3 mac address

2.statically add the mac address of the pc & voip phone through switch port security mac address command

so now two mac address are added statically and third mac will be learned dynamically.

can we use the aging time only for the dynamically learned mac addressess?

gopinath.krishna · ‎12-19-2007

Hi

i have planned to do this

1.enable switch port security on the switch ports and allow 3 mac address

2.statically add the mac address of the pc & voip phone through switch port security mac address command

so now two mac address are added statically and third mac will be learned dynamically.

can we use the aging time only for the dynamically learned mac addressess?