port_security questions

Unanswered Question
May 12th, 2009

Hi All,

i have a switch 4507 which's connected with 20 floor switch 3560. i have about 600 user.i want to know what's the best solution for implementing port_security with 600 @MAC.

i configure them on the federator switch or in the floor switchs.

thanks for your help

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Wed, 05/13/2009 - 08:28

Hello Yoyo,

to get the tighter control you should configure it on floor switches user ports where it is clear that you don't expect more then 2 MAC addresses for port (two if you use VoIP phones).

Be aware that smaller switches have also smaller CAM tables and one of the objectives of port security is the protection from MAC address flooding attacks.

Floor switches uplinks are likely to carry 30-60 MAC addresses.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swtrafc.html#wp1038501

Hope to help

Giuseppe

Giuseppe Larosa Wed, 05/13/2009 - 12:05

Hello Yoyo,

if you want to allow 600 users to move in the campus and at the same time you want to block unauthorized users th right tool is 802.1X that allows network access after an authentication phase.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html

It is a long work and you need to setup a Radius server but it should be the right tool

Hope to help

Giuseppe

yoyo_the_king Wed, 05/13/2009 - 18:07

Hi,

what do you think about VMPS, it's more easily?

knowing that i have a cisco phone on my network.

Thank you

Giuseppe Larosa Thu, 05/14/2009 - 05:36

Hello Yoyo,

VMPS is very old stuff and I think it works only with CatOS switches.

There are options to support voice vlan with 802.1X for example using the guest vlan concept.

Hope to help

Giuseppe

yoyo_the_king Thu, 05/14/2009 - 09:34

Hi Giuslar,

have you an idea about any free radius server wich i can configure.

and i have a question because i never work with radius.

when i connect a PC, the authentication pass directly with MAC Adresse,Or there's any think to configure on the PC?

Thanks a lot

Actions

This Discussion