Switch Security

Unanswered Question
Jan 3rd, 2008


I'm trying to tie each interface down to 1 mac-address. The problem is our desktop team keep going out to site plugging in their laptops and the interface shutsdown. Is there anyway to manually type in their laptop mac's and tell the switch to allow any of these addresses.

Any help is appreciated

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
brianwhelton Thu, 01/03/2008 - 02:14

Swictch#(config-if)switchport mode access

Swictch#(config-if)switchport port-security


Swictch#(config-if)switchport port-security mac-address MAC-ADDRESS-OF_LAPTOP

(copy command and add a different address)

Swictch#(config-if)no shutdown

You could also set the switched to automatically re-enable after a secuirty violation such as port-security mac-address maximum. You can set it to recover after a number of seconds, 10 minutes or even a day. You may wish to do that in case another uses puts a device where the MAC address has not yet been recorded, onto the port.

jhalliwell Thu, 01/03/2008 - 05:45

the only problem with that is that every interface throughout the network (which there are 100's) will have abot 10 mac addresses and the configs will be huge. what i want is to be able to do a sticky mac command for each interface allowing 1 address but to have a rule that lets all desktop pc's to connect to any port. A sort of bar all mac's apart from the 1 sticky learnt and any of the desktops team

farkascsgy Thu, 01/03/2008 - 06:41


I think your friend is the dot1x feature of IOS. You can centraly administer your MAC addresses in a Radius server, and only the valid users can use the internet. If the dot1x auth fail they can reach a restricted VLAN, same for the users who can't use dot1x they will be placed into a guest network.




Please rate me if I helped.

johnd2310 Sat, 01/05/2008 - 00:49


configure port secuity aging with inactivity time of say 2 minutes. The support guys will have to wait 2 minutes before connecting the laptops.



ChrisMcGill Tue, 01/08/2008 - 09:16


switchport mode access

switchport port-security

switchport port-security maximum 1

This on its own, will only allow one mac address per port, any mac address that is. So when the desktop is unplugged and the laptop pluged in to problem, but will still stop cam flooding, dhcp starvation attacks, and the introduction of switches and hubs.

You don't need todo sticky unless you only want specific mac appearing on specific ports.



This Discussion