Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

MAC Address Security

Hi dear, i am new born switching. So i need all your advise to me.Actually, I want to create MAC security. I have 6 switches(1 3750, and 5 2960). I want only my clients in the organization can plug to switch port, if clients bring their own PC and plug to switch, the port is shutdown. I know that
port security sticky can do this, but i have special exception. If want one day, i want move PC client that is allow to plug to switch, move to different switches in the organization, they still can plug and access automatically. My idea is to create Database MAC security on switch 3750. But
i don know how to do. and need all of you to advise me.
 

  • LAN Switching and Routing
5 REPLIES
New Member

 Are you really trying to

 

Are you really trying to accomplish this in a production environment?  As I would just spoof the mac address on the machine I'm moving temporarily to get it online under those circumstances.  And you can just use a Linksys router to specify static ip addresses to mac addresses, and deny everything else.

 

 

New Member

in case, i don have linksys

in case, i don have linksys router. in my enviroment have only switching. please understanding.

New Member

In simple terms:1. You want

In simple terms:

1. You want to lock-down PC's. You only want PC's that are authorized to be on the network to connect. If a client brings in their own PC and plugs it into the network, you want to be able to stop it from connecting. 802.1x would be the method of choice for this. But you dont want to do this it seems.

 

2. Sticky mac would be the 2nd easiest to use. But again, what if you have a port that's "up", but nothing attached, and they plug in their own PC? Well, their MAC will be captured and stuck via sticky mac, and away they go. So that solves nothing really. BUT, if you need to move a legitimate PC from one switch to another, that's fine. Sticky mac looks at the switch, period. It does not look at other switches. So moving from one switch to another will not block anything. And if you have it set-up to refresh the port every so often, it will flush old mac addresses. But then, someone can come along and put in a rogue device because sticky-mac will allow it!

 

Here's the best recommendation:

Shut every port

Open up only those that require access.

Make sure you restrict the port for only 1 mac address (to prevent hub attachment).

Put it sticky to help a tad with administration.

Be proactive with your port access! If someone moves, you control whether the port is up/down. If it's down, and they need to move, you put it up. They plug their authorized PC into the port, and away they go. If they try and swap for a home PC, it will shut down as you've allowed only 1 mac per port to be sticky.

 

If you really want to get tight with security, manually put in each mac address as a static address. But I'd suggest sticky.

But again, the best bet is to use 802.1x to prevent admin overhead.

HelloPlease refer to this CCO

Hello

Please refer to this CCO documentation - 802.1x port based authentication allows the use of guest vlans for unauthorized users

res

Paul

Please don't forget to rate any posts that have been helpful. Thanks.
New Member

This one seem to work

This one seem to work effective, but do u have other way beside this as i told you above.
Client can plug every switch and still access to network

82
Views
5
Helpful
5
Replies