Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
0
Helpful
4
Replies

Port security on 4507S

ilnaiduccna
Level 1
Level 1

‎11-10-2009 04:52 AM - edited ‎03-07-2019 12:32 AM

Hi All

I would like to enable port security on my core switch for security reasons and to avoid unauthorised access.

Can some one please tell me if there is any other pros & cons

What steps should I take to avoid future troubles.

Thanks in advance.... :-)

Regards,

Naidu.

Labels:
0 Helpful
4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-10-2009 05:47 AM

Hello Naidu,

usually port security is deployed at the access layer level.

on core switch you should have only links to other switches or routers.

However, if you have a 48 10/100/1000 linecard with cables plugged in and terminated in closets it can be useful.

One important point:

secure MAC addresses are handled and stored in a separate CAM table usually much smaller then normal CAM.

so if your device has a CAM of 64,000 possible entries the secure CAM can have only few thousands. (3000 in 12.2(46)SG)

a reasonable MAC max per port is 3 to allow PCs to swap their cables/ports.

see

http://www.cisco.com/en/US/docs/switches/lan/catalyst4500/12.2/46sg/configuration/guide/port_sec.html#wp1084817

Hope to help

Giuseppe

0 Helpful

ilnaiduccna
Level 1
Level 1
In response to Giuseppe Larosa

‎11-10-2009 06:03 AM

Hi Giuseppe,

I agree with your comment.

But in my case all important servers directly connected to this core switch only.

First I am configuring port security for some ports say 90 ports and total binding mac address probably 250.

I don't understand what do you mean by "if your device has a CAM of 64,000 possible entries the secure CAM can have only few thousands"

Can you please briefly explain about it..

Thanks in advance.

Regards,

Naidu.

0 Helpful

Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to ilnaiduccna

‎11-10-2009 10:31 AM

Hello Naidu,

I just wanted to warn you about the fact that total number of secure MAC addresses on device is limited to 3,000.

I see that you want to secure servers.

just one note: if your server people has already started to play with VMware and other virtualization this can cause you a lot of work: each time a new virtual machine is built they assign it a MAC address.

for vmware typically OUI are:

000c29

005056

each server can easily use 6-8 mac addresses we see this in our server farms

In any case it can be wise to secure them.

Hope to help

Giuseppe

0 Helpful

ilnaiduccna
Level 1
Level 1
In response to Giuseppe Larosa

‎11-10-2009 10:04 PM

Hi Giuseppe,

Thanks for your response.

Yes, in my environment the server people have VMware servers which are connected to the same coreswitch.

What if we Specifying the Maximum Number of Secure MAC Addresses say for each port 20

set port security 7/7 maximum 20

I think then the port will allow only 20 secure mac's after 20 it will drop as per our settings. Is that right?

Regards,

Naidu.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card