Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2329
Views
5
Helpful
4
Replies

Port security issue on an SF300

Go to solution
endless-desire
Level 1
Level 1

‎09-12-2013 04:04 AM

Hi everybody,

We recently purchased a new SF300, the main goal was using the port security option as a NAC.

I was expecting to be able to define a list of authorized MAC addresses, but unfortunately it's not the case.

I used port security on "Classic Lock".

knowing that I can't have all computers being connected at the same time (because of displacement), when someone to be authorized is here I'm forced to disable the security so that the switch can learn his MAC address,

the problem is that when I do it, MAC addresses that are already learnt are forgotten if are disconnected from the LAN and when someone changes his position in the LAN, he's blocked from accessing the network.

I recall that my goal is to give access to the network based on the MAC address or the domain name (Authorize computers part of OurDoamin.com).

N.B: In our architecture each room has a small switch and those switches are connected the "central one" which is the Cisco SF300.

Thank you.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tom Watts
VIP Alumni
VIP Alumni
In response to endless-desire

‎09-13-2013 07:18 AM

Dynamic arp inspection does this. Bind a mac to IP on the trust list, make the client connecting ports "unsecured" (meaning subject to the arp inspection) then make the interconnect ports "secure" (meaning not subject to arp inspection).

I will tell you one thing.. before messing with DAI, make sure you make entry for at least the host you're using, otherwise you will hose up that switch.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Tom Watts
VIP Alumni
VIP Alumni

‎09-12-2013 08:42 AM

Hi Endless,

Here are 2 documents about port security

https://supportforums.cisco.com/docs/DOC-27753

https://supportforums.cisco.com/docs/DOC-27720

Additionally you may use Dynamic ARP inspection if you want to make a global list of IP to mac and anything not contained within the lists gets shut down.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/

Go to solution
endless-desire
Level 1
Level 1
In response to Tom Watts

‎09-13-2013 01:49 AM

Hi Tom

Thank you for the answer, I'm going to try it and mark it answered if this works for me.

Isn't there any way to give the switch a list of MAC addresses to be authorized in all ports, because we have laptops that change the place (Ex Meeting room) and block anything else ?

0 Helpful

Go to solution
Tom Watts
VIP Alumni
VIP Alumni
In response to endless-desire

‎09-13-2013 07:18 AM

Dynamic arp inspection does this. Bind a mac to IP on the trust list, make the client connecting ports "unsecured" (meaning subject to the arp inspection) then make the interconnect ports "secure" (meaning not subject to arp inspection).

I will tell you one thing.. before messing with DAI, make sure you make entry for at least the host you're using, otherwise you will hose up that switch.

-Tom
Please mark answered for helpful posts

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
0 Helpful

Go to solution
endless-desire
Level 1
Level 1
In response to Tom Watts

‎09-16-2013 08:41 AM

Thank you verry much Tom for your great support, I will try Dynamic Arp Inspection after some training.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Switch products supported in this community
Cisco Business Product Family
  • CBS110
  • CBS220
  • CBS250
  • CBS350
Cisco Switching Product Family
  • 110
  • 200
  • 220
  • 250
  • 300
  • 350
  • 350X
  • 550X
Customers Also Viewed These Support Documents