cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5683
Views
3
Helpful
4
Replies

Best port-security mac-address option

cooperben
Level 1
Level 1

We have 3750G stacks that were recently configured with port-security mac-address sticky on all access ports.  A good question was raised about whether this is the best or not for our needs, seeing as half of our users use laptops/docking stations.  We need these users to have mobility around the office, e.g. undocking their laptop and bringing it to the conference room to use for a presentation.  I've read the manual about how to configure these things, but am not sure what the best strategy/practice is.

So, to allow this mobilty but still use port-security, is using the sticky command a good idea?  Or would that be best served for static things like desktops and printers, etc?  Is there a global command that can be issued to allow secure MAC addresses to move between ports on the stack?  If sticky isn't the thing to use, what is?  Maybe just a simple config on each laptop port such as:

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security aging type inactivity

switchport port-security aging time 60

Thanks in advance.

4 Replies 4

Ganesh Hariharan
VIP Alumni
VIP Alumni

We have 3750G stacks that were recently configured with port-security mac-address sticky on all access ports.  A good question was raised about whether this is the best or not for our needs, seeing as half of our users use laptops/docking stations.  We need these users to have mobility around the office, e.g. undocking their laptop and bringing it to the conference room to use for a presentation.  I've read the manual about how to configure these things, but am not sure what the best strategy/practice is.

So, to allow this mobilty but still use port-security, is using the sticky command a good idea?  Or would that be best served for static things like desktops and printers, etc?  Is there a global command that can be issued to allow secure MAC addresses to move between ports on the stack?  If sticky isn't the thing to use, what is?  Maybe just a simple config on each laptop port such as:

switchport mode access

switchport port-security

switchport port-security maximum 2

switchport port-security violation restrict

switchport port-security aging type inactivity

switchport port-security aging time 60

Hi,

Normal recommendation to  turn on port security and set the maximum MAC addresses to 1 (the default) or 2 (if there is an IP phone connected).  The default behavior is to disable the port when the MAC changes or if the number of concurrent MAC’s exceeds the maximum.

switchport port-security mac-address sticky – turns on the sticky MAC feature

After enabling, you will notice the currently connected MAC address(es) will appear in the running config: This will stay in the config until the switch is rebooted, so it’s important to write the config.

When you use sticky MAC addresses you'll want to make sure that the MAC addresses are cleared off of a switch when a device is moved. Just for example situation can happen like this if stick mac is enabled,laptop that was moved from one client location to another and one of the distribution switches was thinking the device was plugged into the old switch and the other distribution switch thought it was plugged to the new switch.  This created a situation where some network traffic was reaching the laptop and some was going into a black hole.  After clearing the the sticky MAC addresses on the old switch the problem was resolved.

Hope to help !!

Remember to rate the helpful post

Ganesh.H

Thank you.  It appears that dynamic MAC-security is what;s best for all devices that need to be mobile.  We've gone ahead with these changes.  As for printers, desktops, and other stationary devices, we have enabled sticky on those ports.

Ganesh

I like your explanation that " one of the distribution switches was thinking the device was plugged into the old switch and the other distribution switch thought it was plugged to the new switch."

I was wondering if having a port-security aging time that was too long might result in a similar experience. We have deployed C4510R+E switches in our IDF's with an aging time of 1400 on each port. I have noticed that occasionally when a device, say a phone or a laptop, is moved to a new location it fails to grab an IP address. The phone may even fail to get POE. I discoverd that if I clear the mac-address table on the original port it clears up the issue. I would like to suggest to our network team a shorter aging time but before I do that based soley on my observations I'd like to know your thoughts on the matter.

Thanks

George

Elton Babcock
Level 1
Level 1

Another possibility is utilizing 802.1x on your switch ports.

Obviously this does require some back end servers for RADIUS or LDAP queries but it can be another way that you can ensure only devices you want on your network go on your network.

Elton

Sent from Cisco Technical Support iPhone App

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: