Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
493
Views
0
Helpful
6
Replies

port_security questions

yoyo_the_king
Level 1
Level 1

‎05-12-2009 12:14 PM - edited ‎03-06-2019 05:41 AM

Hi All,

i have a switch 4507 which's connected with 20 floor switch 3560. i have about 600 user.i want to know what's the best solution for implementing port_security with 600 @mac.

i configure them on the federator switch or in the floor switchs.

thanks for your help

Labels:
0 Helpful
6 Replies 6

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎05-13-2009 08:28 AM

Hello Yoyo,

to get the tighter control you should configure it on floor switches user ports where it is clear that you don't expect more then 2 MAC addresses for port (two if you use VoIP phones).

Be aware that smaller switches have also smaller CAM tables and one of the objectives of port security is the protection from MAC address flooding attacks.

Floor switches uplinks are likely to carry 30-60 MAC addresses.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_46_se/configuration/guide/swtrafc.html#wp1038501

Hope to help

Giuseppe

0 Helpful

yoyo_the_king
Level 1
Level 1
In response to Giuseppe Larosa

‎05-13-2009 10:04 AM

Hi,

I want to guard mobility to all 600 users.

so i don't know if i can write 600@MAC on all ports of all floor switchs.

or if ther's another solution more easy than this one.

Thanks a lot

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to yoyo_the_king

‎05-13-2009 12:05 PM

Hello Yoyo,

if you want to allow 600 users to move in the campus and at the same time you want to block unauthorized users th right tool is 802.1X that allows network access after an authentication phase.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst3560/software/release/12.2_44_se/configuration/guide/sw8021x.html

It is a long work and you need to setup a Radius server but it should be the right tool

Hope to help

Giuseppe

0 Helpful

yoyo_the_king
Level 1
Level 1
In response to Giuseppe Larosa

‎05-13-2009 06:07 PM

Hi,

what do you think about VMPS, it's more easily?

knowing that i have a cisco phone on my network.

Thank you

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to yoyo_the_king

‎05-14-2009 05:36 AM

Hello Yoyo,

VMPS is very old stuff and I think it works only with CatOS switches.

There are options to support voice vlan with 802.1X for example using the guest vlan concept.

Hope to help

Giuseppe

0 Helpful

yoyo_the_king
Level 1
Level 1
In response to Giuseppe Larosa

‎05-14-2009 09:34 AM

Hi Giuslar,

have you an idea about any free radius server wich i can configure.

and i have a question because i never work with radius.

when i connect a PC, the authentication pass directly with MAC Adresse,Or there's any think to configure on the PC?

Thanks a lot

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card