Hi dear, i am new born switching. So i need all your advise to me.Actually, I want to create MAC security. I have 6 switches(1 3750, and 5 2960). I want only my clients in the organization can plug to switch port, if clients bring their own PC and plug to switch, the port is shutdown. I know that port security sticky can do this, but i have special exception. If want one day, i want move PC client that is allow to plug to switch, move to different switches in the organization, they still can plug and access automatically. My idea is to create Database MAC security on switch 3750. But i don know how to do. and need all of you to advise me.
Are you really trying to accomplish this in a production environment? As I would just spoof the mac address on the machine I'm moving temporarily to get it online under those circumstances. And you can just use a Linksys router to specify static ip addresses to mac addresses, and deny everything else.
1. You want to lock-down PC's. You only want PC's that are authorized to be on the network to connect. If a client brings in their own PC and plugs it into the network, you want to be able to stop it from connecting. 802.1x would be the method of choice for this. But you dont want to do this it seems.
2. Sticky mac would be the 2nd easiest to use. But again, what if you have a port that's "up", but nothing attached, and they plug in their own PC? Well, their MAC will be captured and stuck via sticky mac, and away they go. So that solves nothing really. BUT, if you need to move a legitimate PC from one switch to another, that's fine. Sticky mac looks at the switch, period. It does not look at other switches. So moving from one switch to another will not block anything. And if you have it set-up to refresh the port every so often, it will flush old mac addresses. But then, someone can come along and put in a rogue device because sticky-mac will allow it!
Here's the best recommendation:
Shut every port
Open up only those that require access.
Make sure you restrict the port for only 1 mac address (to prevent hub attachment).
Put it sticky to help a tad with administration.
Be proactive with your port access! If someone moves, you control whether the port is up/down. If it's down, and they need to move, you put it up. They plug their authorized PC into the port, and away they go. If they try and swap for a home PC, it will shut down as you've allowed only 1 mac per port to be sticky.
If you really want to get tight with security, manually put in each mac address as a static address. But I'd suggest sticky.
But again, the best bet is to use 802.1x to prevent admin overhead.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...