Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
5
Replies

Switch Security

jhalliwell
Level 1
Level 1

‎01-03-2008 12:31 AM - edited ‎03-09-2019 07:45 PM

Hi,

I'm trying to tie each interface down to 1 mac-address. The problem is our desktop team keep going out to site plugging in their laptops and the interface shutsdown. Is there anyway to manually type in their laptop mac's and tell the switch to allow any of these addresses.

Any help is appreciated

Labels:
0 Helpful
5 Replies 5

brianwhelton
Level 1
Level 1

‎01-03-2008 02:14 AM

Swictch#(config-if)switchport mode access

Swictch#(config-if)switchport port-security

maximum (NUMBER-OF-ALLOWED-MAC-ADDRESSES)

Swictch#(config-if)switchport port-security mac-address MAC-ADDRESS-OF_LAPTOP

(copy command and add a different address)

Swictch#(config-if)no shutdown

You could also set the switched to automatically re-enable after a secuirty violation such as port-security mac-address maximum. You can set it to recover after a number of seconds, 10 minutes or even a day. You may wish to do that in case another uses puts a device where the MAC address has not yet been recorded, onto the port.

0 Helpful

jhalliwell
Level 1
Level 1
In response to brianwhelton

‎01-03-2008 05:45 AM

the only problem with that is that every interface throughout the network (which there are 100's) will have abot 10 mac addresses and the configs will be huge. what i want is to be able to do a sticky mac command for each interface allowing 1 address but to have a rule that lets all desktop pc's to connect to any port. A sort of bar all mac's apart from the 1 sticky learnt and any of the desktops team

0 Helpful

farkascsgy
Level 4
Level 4
In response to jhalliwell

‎01-03-2008 06:41 AM

Hello,

I think your friend is the dot1x feature of IOS. You can centraly administer your MAC addresses in a Radius server, and only the valid users can use the internet. If the dot1x auth fail they can reach a restricted VLAN, same for the users who can't use dot1x they will be placed into a guest network.

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.1_19_ea1/configuration/guide/sw8021x.html

bye

FCS

Please rate me if I helped.

0 Helpful

johnd2310
Level 8
Level 8

‎01-05-2008 12:49 AM

hi,

configure port secuity aging with inactivity time of say 2 minutes. The support guys will have to wait 2 minutes before connecting the laptops.

thanks

John

**Please rate posts you find helpful**
0 Helpful

ChrisMcGill
Level 1
Level 1
In response to johnd2310

‎01-08-2008 09:16 AM

Hi,

switchport mode access

switchport port-security

switchport port-security maximum 1

This on its own, will only allow one mac address per port, any mac address that is. So when the desktop is unplugged and the laptop pluged in to problem, but will still stop cam flooding, dhcp starvation attacks, and the introduction of switches and hubs.

You don't need todo sticky unless you only want specific mac appearing on specific ports.

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents