prevent end users from attaching their own hubs/switches?

Unanswered Question
Jun 11th, 2008
User Badges:

Is there a switchport command on a 3750 switch that will only only 1 mac address so that end users can't plug in their own hubs/switches?


I don't want to maintain a mac table, just allow any mac but only 1 mac.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
michael.leblanc Wed, 06/11/2008 - 21:05
User Badges:
  • Silver, 250 points or more

Don't have a 3750, but I suspect that if you enable "port-security", the default will likely be to allow only one MAC address.


On a 2950 the syntax would be:


interface FastEthernet0/1

switchport port-security

switchport port-security maximum


Although I wouldn't configure the value as "1" as the default is "1" on that platform (2950), and might cause an issue if set.


You might look for that syntax in your CLI, or something like it.



optional:

switchport port-security violation restrict

switchport port-security mac-address aaaa.bbbb.cccc


duwayne.greer Thu, 06/12/2008 - 06:14
User Badges:

There are a couple of things that will help you with this issue.


The bpduguard commands, and port-security commands.


BPDUGUARD detects the bridging signals that most switches and hubs use, and will shut down (error-disable) the port when a bpdu is detected.


The command for this on a 3750 is:

interface FastEthernet1/0/1

spanning-tree bpduguard enable


This command can be offset to auto-enable with the following commands at the config prompt:

errdisable recovery cause bpduguard

errdisable recovery interval 900


The above commands cause the error disabled port to automatically re-enable after a period of 900 seconds (15 minutes).



Port security will limit the number of mac addresses allowed on the port to the number you specify (default of 1). This can cause other issues with people that move around from port to port. Considerable thought needs to be exercised before implementing this capability, as you will be called upon to re-enable the ports by performing a shut/no shut to bring the ports back up.

babatunde_sanda Thu, 06/12/2008 - 06:26
User Badges:
  • Bronze, 100 points or more

You could use the Sticky command in the port security command. That will register the first mac address on that port. If you do though remember to set the maximum mac it should register and what should happen if in case of a violation. Having said that, combine the error recovery command provided earlier with the switchport security command and maximum mac command. You can even hardcode the ports as access ports only ("Switchport mode access").


babatunde_sanda Thu, 06/12/2008 - 06:32
User Badges:
  • Bronze, 100 points or more

You could use the Sticky command in the port security command. That will register the first mac address on that port. If you do though remember to set the maximum mac it should register and what should happen if in case of a violation. Having said that, combine the error recovery command provided earlier with the switchport security command and maximum mac command. You can even hardcode the ports as access ports only ("Switchport mode access").


interface FastEthernet1/0/1

switchport mode access

switchport port-security mac-address sticky

switchport port-security maximum

spanning-tree bpduguard enable

errdisable recovery cause bpduguard

errdisable recovery interval 900



If you are bold you can use this with the interface range command.


h.parsons Fri, 06/13/2008 - 05:15
User Badges:

This a typical config we use on our 3750's:

interface FastEthernet1/0/6

switchport port-security

switchport port-security aging time 1

switchport port-security violation restrict

switchport port-security aging type inactivity

We dont use the sticky command because if someone wants to swap out their PC. The default is one MAC address per port.


Actions

This Discussion