×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Port security issue on an SF300

Answered Question
Sep 12th, 2013
User Badges:

Hi everybody,


We recently purchased a new SF300, the main goal was using the port security option as a NAC.

I was expecting to be able to define a list of authorized MAC addresses, but unfortunately it's not the case.

I used port security on "Classic Lock".

knowing that I can't have all computers being connected at the same time (because of displacement), when someone to be authorized is here I'm forced to disable the security so that the switch can learn his MAC address,

the problem is that when I do it, MAC addresses that are already learnt are forgotten if are disconnected from the LAN and when someone changes his position in the LAN, he's blocked from accessing the network.


I recall that my goal is to give access to the network based on the MAC address or the domain name (Authorize computers part of OurDoamin.com).

N.B: In our architecture each room has a small switch and those switches are connected the "central one" which is the Cisco SF300.


Thank you.

Correct Answer by Tom Watts about 3 years 11 months ago

Dynamic arp inspection does this. Bind a mac to IP on the trust list, make the client connecting ports "unsecured" (meaning subject to the arp inspection) then make the interconnect ports "secure" (meaning not subject to arp inspection).


I will tell you one thing.. before messing with DAI, make sure you make entry for at least the host you're using, otherwise you will hose up that switch.



-Tom
Please mark answered for helpful posts

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Tom Watts Thu, 09/12/2013 - 08:42
User Badges:
  • Green, 3000 points or more

Hi Endless,

Here are 2 documents about port security


https://supportforums.cisco.com/docs/DOC-27753

https://supportforums.cisco.com/docs/DOC-27720


Additionally you may use Dynamic ARP inspection if you want to make a global list of IP to mac and anything not contained within the lists gets shut down.



-Tom
Please mark answered for helpful posts

endless-desire Fri, 09/13/2013 - 01:49
User Badges:

Hi Tom


Thank you for the answer, I'm going to try it and mark it answered if this works for me.


Isn't there any way to give the switch a list of MAC addresses to be authorized in all ports, because we have laptops that change the place (Ex Meeting room) and block anything else ?

Correct Answer
Tom Watts Fri, 09/13/2013 - 07:18
User Badges:
  • Green, 3000 points or more

Dynamic arp inspection does this. Bind a mac to IP on the trust list, make the client connecting ports "unsecured" (meaning subject to the arp inspection) then make the interconnect ports "secure" (meaning not subject to arp inspection).


I will tell you one thing.. before messing with DAI, make sure you make entry for at least the host you're using, otherwise you will hose up that switch.



-Tom
Please mark answered for helpful posts

endless-desire Mon, 09/16/2013 - 08:41
User Badges:

Thank you verry much Tom for your great support, I will try Dynamic Arp Inspection after some training.

Actions

This Discussion

Related Content