12-19-2007 04:38 AM - edited 03-05-2019 08:04 PM
how to bind a host mac address to a specific switch port
12-19-2007 04:46 AM
Hi
You need to look at port security on your switch. You don't say what type of switch and whether it is running CatOS or IOS.
Assuming it is IOS attached is the config guide for port security on a 3560 switch. The commands will be similiar for most IOS switches.
HTH
Jon
12-19-2007 04:59 AM
Hi jon,
Cisco IOS Software, C2960 Software (C2960-LANBASE-M), Version 12.2(25)SEE2, RELE
ASE SOFTWARE (fc1).
From the document am able to understand that we can configure switch port security with provided commands.
switchport port-security mac-address 1000.2000.3000
or
switchport port-security mac-address sticky
now my concern has i have more than 100 switches at almost 10 locations i.e almost 1000 switches... now i need to configure port security on all these switches in such a way that mac address of host connected to a switch port is bound to that. Configuring this on 1000 switches is not a easy job... i dont have a cisco works or any other NMS to even configure through snmp... can u suggest any work around for this
1. Need to first collect the mac address of all the host
2.then map that mac address to that specific port
what would u suggest me to do the above two for almost 1000 2960 switches
12-19-2007 05:09 AM
It all depends on how secure you need it to be. If you are happy with only allowing one mac-address on the port at any one time then you can apply a switch wide config that will achieve that with port security without having to know everybody's mac-address.
If your security requirements are greater than this you may want to look into 802.1x authentication with a AAA server which would allow you to allocate users to vlans based on their identity and then you can give different access rights to the vlan.
Jon
12-19-2007 05:14 AM
In that case, you shouldnt be bothere about finding the mac-addresses. use the sticky option. with this you make the port to bind the mac of the 1st machine that is connected after the port security is applied. Remember to allow 2 mac add on ports where voip phones are connected.
Other than that, i dont see any workaround to configure ports in bulk if you dont have such tool. It may take time manually, but thats 1 time work. Do schedule the changes in phases, so that in case of problem its limited to specific switches & you have breathing time to troubleshoot. Also based on the experience of 1st phase, you may further.
12-19-2007 11:07 PM
Hi
i have planned to do this
1.enable switch port security on the switch ports and allow 3 mac address
2.statically add the mac address of the pc & voip phone through switch port security mac address command
so now two mac address are added statically and third mac will be learned dynamically.
can we use the aging time only for the dynamically learned mac addressess?
12-19-2007 11:29 PM
Hi
i have planned to do this
1.enable switch port security on the switch ports and allow 3 mac address
2.statically add the mac address of the pc & voip phone through switch port security mac address command
so now two mac address are added statically and third mac will be learned dynamically.
can we use the aging time only for the dynamically learned mac addressess?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: